The Iranian hacking group MuddyWater, also known by aliases such as Earth Vetala, Mango Sandstorm, and MUDDYCOAST, has launched a new campaign named Operation Olalampo, targeting organizations and individuals primarily in the Middle East and North Africa (MENA) region. This operation, first detected on January 26, 2026, showcases the deployment of novel malware families that exhibit overlaps with previously identified tools used by the threat actor. The findings, detailed in a report by Group-IB, shed light on sophisticated cyber attack techniques and the growing use of artificial intelligence in malicious operations.
According to Group-IB’s analysis, the initial entry point for these attacks typically involves a phishing email containing a Microsoft Office document. When a user enables macros within this document, it decodes an embedded malicious payload, which is then executed on the system. This grants the attackers remote control, enabling them to infiltrate networks and exfiltrate sensitive data. The observed attack chains demonstrate a progression of payloads, from initial downloaders to more advanced backdoors, underscoring the group’s evolving capabilities.
MuddyWater’s Operation Olalampo: New Malware and AI Integration
Operation Olalampo utilizes several new malware families, some of which share samples with previously documented MuddyWater tools. These include downloaders like GhostFetch and HTTP_VIP, alongside a Rust-based backdoor named CHAR, and an advanced implant dubbed GhostBackDoor, which is delivered by GhostFetch. These tools are designed to execute various malicious functions, from system profiling to remote control and data theft.
One specific attack vector involves a malicious Microsoft Excel document. Users are tricked into enabling macros, which then drops the CHAR backdoor onto the compromised system. In a related variant, the same attack chain leads to the deployment of the GhostFetch downloader. This downloader, in turn, fetches the GhostBackDoor implant, providing attackers with deeper access and control.
Another observed attack chain employs lures themed around flight tickets and reports. This method is used to distribute the HTTP_VIP downloader. Upon successful execution, HTTP_VIP connects to an external server and deploys the AnyDesk remote desktop software, a tactic that allows for direct remote access to the victim’s machine. Newer variants of HTTP_VIP have also been observed to collect victim information and receive instructions for actions such as starting an interactive shell, downloading or uploading files, capturing clipboard contents, and modifying the malware’s communication intervals.
Key Malware Components and Their Functions
A closer examination of the malware families deployed during Operation Olalampo reveals their specific roles in the attack chain:
- GhostFetch: This initial downloader meticulously profiles the infected system by checking for debugging tools, virtual machine artifacts, and antivirus software. It also validates user activity like mouse movements and screen resolution before fetching and executing secondary payloads directly in the system’s memory.
- GhostBackDoor: Delivered by GhostFetch, this second-stage backdoor provides interactive shell access, allows for file operations (read/write), and can re-execute GhostFetch itself, maintaining persistence and expanding the attacker’s capabilities.
- HTTP_VIP: This native downloader performs system reconnaissance and communicates with a command-and-control (C2) server located at “codefusiontech[.]org”. Its primary function is to deploy AnyDesk, but enhanced versions can retrieve victim details and execute various commands, including remote file management and clipboard monitoring.
- CHAR: A Rust-based backdoor controlled via a Telegram bot. This bot, identified with the first name “Olalampo” and username “stager_51_bot,” enables attackers to change directories and execute commands through cmd.exe or PowerShell.
The PowerShell commands executed by CHAR are reported to establish a SOCKS5 reverse proxy or deploy another backdoor named Kalim, facilitate the exfiltration of stolen web browser data, and run unknown executables. This multi-stage approach highlights MuddyWater’s strategic planning in compromising targets.
Notably, analysis of CHAR’s source code has revealed indications of artificial intelligence-assisted development, such as the presence of emojis within debug strings. This finding aligns with previous reports suggesting that the threat actor has been experimenting with generative AI tools to aid in the development of custom malware for file transfer and remote execution capabilities. Additionally, CHAR shares structural similarities and a development environment with BlackBeard, another Rust-based malware previously linked to MuddyWater’s targeting of Middle Eastern entities.
MuddyWater has also been observed exploiting recently disclosed vulnerabilities on publicly accessible servers to gain initial access to target networks. This method allows them to bypass some traditional perimeter defenses and expand their attack surface. The group’s continued reliance on both novel exploit techniques and custom tooling, coupled with a diversified C2 infrastructure, suggests a robust and adaptable threat actor.
Group-IB concludes that the MuddyWater APT group remains a significant threat in the META (Middle East, Turkey, and Africa) region, with Operation Olalampo specifically focusing on organizations within the MENA area. The group’s increasing adoption of AI technologies, alongside the continuous development of custom malware and tooling, points to a determined effort to broaden the scope and sophistication of their cyber operations. The cybersecurity community will be watching for further evolution of their techniques and the potential impact of AI-driven development on future threat landscapes.