The Iranian hacking group often known as MuddyWater (aka Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has focused a number of organizations and people primarily positioned throughout the Center East and North Africa (MENA) area as a part of a brand new marketing campaign codenamed Operation Olalampo.
The exercise, first noticed on January 26, 2026, has resulted within the deployment of recent malware households that share overlapping samples beforehand recognized as utilized by the menace actor, based on a report revealed by Group-IB. These embrace downloaders like GhostFetch and HTTP_VIP, together with a Rust backdoor known as CHAR and a sophisticated implant codenamed GhostBackDoor that is dropped by GhostFetch.
“These assaults observe related patterns and align with the killchains beforehand noticed in MuddyWater assaults; beginning with a phishing e-mail with a Microsoft Workplace doc hooked up to it that comprises malicious macro code that decodes the embedded payload and drops it on the system and executes it, offering the adversary with distant management of the system,” the corporate mentioned.
One such assault chain using a malicious Microsoft Excel doc prompts customers to allow macros with a view to activate the an infection and finally drop CHAR. One other variant of the identical assault has been discovered to result in the deployment of the GhostFetch downloader, which then downloads GhostBackDoor.
A 3rd model of the assault leverages themes corresponding to flight tickets and studies, in distinction to utilizing lures mimicking an power and marine providers firm within the Center East, to distribute the HTTP_VIP downloader that subsequently deploys the AnyDesk distant desktop software program.
A short description of the 4 instruments is as follows –
- GhostFetch, a first-stage downloader that profiles the system, validates mouse actions and checks display decision, checks for the presence of debuggers, digital machine artifacts, and antivirus software program, and fetches and executes secondary payloads straight in reminiscence.
- GhostBackDoor, a second-stage backdoor delivered by GhostFetch that helps an interactive shell, file learn/write, and re-run GhostFetch.
- HTTP_VIP, a local downloader that conducts system reconnaissance, connects to an exterior server (“codefusiontech[.]org”) to authenticate and deploy AnyDesk from the C2 server. A brand new variant of the malware additionally provides the flexibility to retrieve sufferer info and retrieve directions to start out an interactive shell, obtain/add information, seize clipboard contents, and replace the sleep/beaconing interval.
- CHAR, a Rust backdoor that is managed by a Telegram bot (whose first title is “Olalampo” and username is “stager_51_bot”) to vary listing and execute a cmd.exe or PowerShell command.
The PowerShell command is designed to execute a SOCKS5 reverse proxy or one other backdoor named Kalim, add information stolen from internet browsers, and run unknown executables known as “sh.exe” and “gshdoc_release_X64_GUI.exe.”
Group-IB’s evaluation of CHAR’s supply code has revealed indicators of synthetic intelligence (AI)-assisted growth owing to the presence of emojis in debug strings, a discovering that is in line with Google’s revelations final yr that the menace actor is experimenting with generative AI instruments to help the event of customized malware to help file switch and distant execution.
One other notable side is that CHAR shares the same construction and growth setting because the Rust-based malware BlackBeard (aka Archer RAT and RUSTRIC), which was flagged by CloudSEK and Seqrite Labs as put to make use of by the menace actor to focus on varied entities within the Center East.
MuddyWater has additionally been noticed exploiting lately disclosed vulnerabilities on public-facing servers as a approach to acquire preliminary entry to focus on networks.
“The MuddyWater APT group stays an lively menace throughout the META [Middle East, Turkey, and Africa] area, with this operation primarily focusing on organizations within the MENA area,” Group-IB concluded. “The group’s continued adoption of AI expertise, mixed with continued growth of customized malware and tooling and diversified command-and-control (C2) infrastructures, underscores their dedication and intent to broaden their operations.”
