The Iranian state aligned threat group MuddyWater, also tracked as Earth Vetala, Mango Sandstorm, and MUDDYCOAST, has initiated a fresh cyber espionage campaign aimed at organizations and individuals across the Middle East and North Africa region. The latest operation, named Operation Olalampo, demonstrates the group’s continued evolution in malware development and operational tactics.
According to findings published by Group-IB, the campaign was first identified on January 26, 2026. The activity led to the deployment of several newly observed malware families that share technical similarities with tools previously attributed to the group.
Phishing Driven Initial Access Strategy
The attack chain follows patterns previously associated with MuddyWater. Victims typically receive a phishing email containing a malicious Microsoft Office attachment. Once opened, the document encourages users to enable macros. This action triggers embedded malicious code that decodes and executes a hidden payload, granting remote control of the compromised system.
One infection scenario uses a weaponized Microsoft Excel file to deploy a Rust based backdoor called CHAR. Another variation delivers GhostFetch, which later installs a secondary implant known as GhostBackDoor.
In a separate lure campaign, attackers used themes such as flight bookings and corporate reports, rather than impersonating energy and marine services firms. This method distributed the HTTP_VIP downloader, which ultimately installed the remote desktop application AnyDesk for persistent remote access.
Breakdown of the Malware Arsenal
The operation involves four primary components, each serving a specific function in the attack lifecycle.
GhostFetch
GhostFetch operates as a first stage downloader. It performs extensive system reconnaissance, including:
- Profiling hardware and environment details
- Monitoring mouse activity and screen resolution
- Detecting debugging tools and virtual machine artifacts
- Checking for antivirus software
After validation, it retrieves and executes additional payloads directly in memory to reduce detection risks.
GhostBackDoor
Delivered by GhostFetch, this second stage backdoor enables:
- Interactive shell access
- File read and write capabilities
- Re execution of GhostFetch
This layered deployment approach strengthens persistence and flexibility within infected networks.
HTTP_VIP
HTTP_VIP functions as a native downloader that conducts system reconnaissance before contacting an external server, codefusiontech[.]org, for authentication. Once validated, it downloads and deploys AnyDesk from the command and control infrastructure.
A newer variant enhances its capabilities by allowing attackers to:
- Collect victim system data
- Execute interactive shell commands
- Upload and download files
- Capture clipboard data
- Modify beaconing intervals
CHAR Rust Backdoor
CHAR is a Rust developed backdoor controlled through a Telegram bot identified as “stager_51_bot,” associated with the name “Olalampo.” The malware enables directory manipulation and execution of cmd.exe or PowerShell commands.
The embedded PowerShell instructions can launch a SOCKS5 reverse proxy or deploy another backdoor called Kalim. Additionally, it can exfiltrate browser stored data and execute unknown binaries labeled sh.exe and gshdoc_release_X64_GUI.exe.
Signs of AI Assisted Malware Development
Technical examination of CHAR’s source code by Group-IB revealed unusual debug strings containing emojis. This detail suggests potential use of generative AI tools during development.
These findings align with earlier disclosures by Google, which indicated that MuddyWater has experimented with AI driven solutions to streamline custom malware creation, particularly for file transfer and remote execution functions.
Interestingly, CHAR shares structural and development similarities with the Rust based malware BlackBeard, also known as Archer RAT or RUSTRIC. That malware family was previously identified by CloudSEK and Seqrite Labs in campaigns targeting Middle Eastern entities.
Exploitation of Public Facing Vulnerabilities
Beyond phishing tactics, MuddyWater has also leveraged newly disclosed vulnerabilities in publicly exposed servers to gain initial access. This dual strategy combining social engineering and vulnerability exploitation increases operational success rates across enterprise environments.
Strategic Implications for the MENA Region
Group-IB concludes that MuddyWater remains a persistent and active advanced persistent threat within the META region, including the Middle East, Turkey, and Africa. Operation Olalampo primarily focuses on organizations across MENA, reinforcing the group’s geopolitical targeting priorities.
The continued integration of AI assisted development, expansion of custom malware families, and diversification of command and control infrastructures demonstrate a sustained commitment to operational growth.
Organizations operating within the region are advised to strengthen phishing detection mechanisms, disable unnecessary macro execution, monitor outbound command and control traffic, and apply timely security patches to public facing assets.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
