A new cyber espionage operation is exploiting everyday tools to steal state secrets across four countries.
Indian cybersecurity firm Seqrite has exposed Operation CamelClone. This sophisticated, multi-region espionage campaign has been silently targeting government, defense, diplomatic, and strategic energy organizations across Algeria, Mongolia, Ukraine, and Kuwait.
The invisible attack: how it works
The campaign begins deceptively simple — a ZIP file arrives via email, impersonating real ministries or armed forces. Lures include documents titled “Weapons requirements for the Kuwait Air Force” or “Algerian-Ukrainian cooperation proposals.” A single click on a disguised Windows shortcut file sets off a chain reaction.
Hidden PowerShell commands download a JavaScript loader called HOPPINGANT from a public file-sharing site. This then deploys Rclone — a legitimate file-sync tool — quietly renamed and weaponized to harvest sensitive documents and upload them to attacker-controlled MEGA cloud storage accounts, leaving virtually no trace in standard network logs.
Why is this attack especially alarming?
What makes Operation CamelClone particularly dangerous is its near-complete reliance on legitimate tools — PowerShell, Rclone, and MEGA — allowing it to slip past conventional security systems undetected. Stolen files include procurement plans, policy drafts, and even Telegram session data.
Seqrite’s India Cyber Threat Report 2026, drawn from over 8 million endpoints, recorded a staggering 265.52 million detections between October 2024 and September 2025, averaging 505 threats every minute.
Legal and regulatory fallout
For Indian institutions, the breach carries serious implications under the Digital Personal Data Protection (DPDP) Act, 2023, with penalties of up to ₹250 crore for failures in safeguarding personal data.
Seqrite states its enterprise portfolio — including AI-powered threat intelligence and data privacy tools — is fully equipped to detect and counter campaigns of this nature.
