HOPPINGANT

HOPPINGANT is a Windows Script Host JavaScript loader used in the Operation CamelClone espionage campaign. Seqrite reported it as Stage 3 of the infection chain, following spear-phishing emails that delivered malicious ZIP archives disguised as official correspondence and containing LNK files plus decoy images. When the victim opened the LNK, a hidden PowerShell command downloaded the next stage from filebulldogs[.]com; HOPPINGANT then executed two Base64-encoded PowerShell commands to continue the intrusion. The first-stage script downloaded and executed a JavaScript file named f.js, retrieved a null-padded decoy PDF to distract the victim, and downloaded a ZIP archive named a.zip containing a portable copy of Rclone v1.70.3. In this campaign, the attackers abused the legitimate Rclone tool for exfiltration and used public file-sharing and MEGA cloud storage rather than dedicated command-and-control servers. The malware decoded a stored password using an XOR routine with key value 56, used the decoded credential to authenticate to a MEGA account registered with an anonymous onionmail.org email address, searched the victim Desktop for .doc, .docx, .pdf, and .txt files, and uploaded them to attacker-controlled MEGA storage. It also targeted Telegram Desktop session data in the tdata directory, potentially exposing private conversations. The campaign targeted government, defense, and diplomatic entities in Algeria, Mongolia, Ukraine, and Kuwait, and Seqrite assessed the operation as intelligence-driven rather than financially motivated.