Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportThe Iranian state-aligned advanced persistent threat group MuddyWater, associated with Iran’s Ministry of Intelligence and Security (MOIS), launched Operation Olalampo targeting organizations and individuals primarily across the Middle East and North Africa (MENA) region. First observed on January 26, 2026, this sophisticated cyber-espionage campaign represents a significant escalation in MuddyWater’s operational capabilities and geographic reach.
Operation Olalampo deploys four distinct malware families through coordinated cyber-espionage operations: GhostFetch downloader, GhostBackDoor advanced implant, HTTP_VIP downloader, and CHAR Rust-based backdoor. The MuddyWater threat actor delivers these malware payloads through carefully crafted spear-phishing emails containing weaponized Microsoft Office documents with malicious macro code tailored to regional themes for maximum effectiveness.
MuddyWater targets critical infrastructure and strategic sectors across the MENA region including energy companies, marine services providers, system integrators, and government entities. The Operation Olalampo campaign demonstrates sophisticated tradecraft including diversified command-and-control infrastructure, multi-stage infection chains, advanced evasion techniques, and evidence of AI-assisted malware development. MuddyWater’s operational methodology reflects the group’s evolution as a mature Iranian state-sponsored threat actor conducting sustained cyber-espionage operations aligned with Iranian intelligence collection priorities.
Operation Olalampo Campaign Overview
The Iranian cyber-espionage group MuddyWater, also tracked as Earth Vetala, Mango Sandstorm, MUDDYCOAST, Seedworm, TEMP.Zagros, Static Kitten, Mercury, TA450, Cobalt Ulster, ATK 51, T-APT-14, ITG17, Boggy Serpens, and Yellow Nix, has launched Operation Olalampo targeting organizations across the Middle East and North Africa. First observed on January 26, 2026, Operation Olalampo introduces new malware tools including the GhostFetch downloader, HTTP_VIP downloader, CHAR Rust-based backdoor, and GhostBackDoor advanced implant.
MuddyWater Spear-Phishing Operations
Operation Olalampo attacks begin with carefully crafted spear-phishing emails carrying malicious Microsoft Office documents specifically tailored to MENA regional themes to appear legitimate. In one MuddyWater attack variant, a fake Excel file posing as an energy and marine services company triggers hidden malicious macro code once macros are enabled, installing the CHAR backdoor on compromised Windows systems. Another Excel-based MuddyWater lure deploys the GhostFetch downloader instead. A third variant uses Word documents themed around flight tickets and reports to deliver HTTP_VIP malware, often targeting specific individuals and system integrators across the MENA region.
Multi-Stage Malware Infection Process
Once activated, Operation Olalampo malware follows sophisticated infection paths. GhostFetch first analyzes the infected system, checking for virtual machines, security software, and user activity to avoid detection by security researchers. The GhostFetch downloader loads additional malware payloads directly into memory to evade disk-based security tools and installs GhostBackDoor, which adapts to system privileges and enables remote control, file access, and reinfection capabilities if needed.
In the CHAR backdoor variant, MuddyWater operators control compromised systems through a Telegram bot named “Olalampo,” issuing commands through PowerShell or the Windows command interface. This command-and-control methodology provides MuddyWater operators with flexible remote access while maintaining operational security through encrypted Telegram communications.
Post-Compromise Operations and Credential Theft
Post-compromise activity in Operation Olalampo demonstrates MuddyWater’s focus on credential theft and establishing long-term persistent access. Using the CHAR backdoor, MuddyWater operators deploy a SOCKS5 reverse proxy for network tunneling, additional backdoors such as Kalim malware, and specialized tools designed to extract browser data including saved credentials. Some Operation Olalampo malware components reveal signs of AI-assisted development and share structural similarities with earlier MuddyWater malware such as BlackBeard, also known as Archer RAT or RUSTRIC.
HTTP_VIP Capabilities and Remote Access
The HTTP_VIP variant performs comprehensive system reconnaissance, connects to MuddyWater command-and-control servers, and installs AnyDesk remote management software to gain full remote access to compromised systems. A newer version of HTTP_VIP expands MuddyWater’s capabilities to include file transfer operations, clipboard capture for credential harvesting, interactive shell access, and detailed system profiling. Beyond spear-phishing operations, MuddyWater also exploits newly disclosed server vulnerabilities to enter networks, maintaining multiple access routes and a layered command-and-control infrastructure to support sustained cyber-espionage operations across the MENA region.
Disable Office Macros by Default
Enforce Group Policy Objects (GPO) to restrict macro execution from untrusted sources across all endpoints to prevent Operation Olalampo infections. Only permit digitally signed macros where business-critical operations require them, and log all macro execution events for audit purposes to detect MuddyWater spear-phishing attempts.
Deploy Endpoint Detection for Rust-Based Implants
Update EDR signatures and behavioral detection rules to identify CHAR, GhostFetch, GhostBackDoor, and HTTP_VIP payloads associated with Operation Olalampo. Integrate the YARA rules and EDR detection rules published in Group-IB’s MuddyWater report into existing security tooling to detect Operation Olalampo malware.
Monitor for In-Memory Payload Execution
Since GhostFetch retrieves and executes malware payloads directly in memory to evade disk-based detection, implement memory scanning capabilities and behavioral analysis rules that detect fileless execution techniques such as process hollowing and reflective DLL injection used by MuddyWater malware.
Implement Multi-Factor Authentication
Enforce MFA on all critical accounts, VPN gateways, and remote access platforms to mitigate credential theft risk from browser data exfiltration observed in MuddyWater’s Operation Olalampo post-exploitation activities targeting MENA organizations.
Monitor Suspicious PowerShell and cmd.exe Activity
Deploy behavioral detection rules for PowerShell-based SOCKS5 reverse proxy execution, unusual cmd.exe invocations, and unexpected Telegram API communications from endpoints, as these are key indicators of CHAR backdoor activity associated with Operation Olalampo.
Hunt for Post-Exploitation Artifacts
Proactively search for the presence of executables named “sh.exe” and “gshdoc_release_X64_GUI.exe,” suspicious directory creation under the Public user folder, and anomalous outbound traffic patterns consistent with SOCKS5 proxy or Telegram bot beaconing used by MuddyWater operators.
Implement Network Segmentation
Segment critical assets and limit lateral movement potential by enforcing strict network access controls between trust zones. Monitor east-west traffic for anomalous patterns indicative of network enumeration or credential harvesting activities conducted by MuddyWater during Operation Olalampo compromises.
Domains: codefusiontech[.]org, Promoverse[.]org, miniquest[.]org, jerusalemsolutions[.]com
IPv4 Addresses: 162[.]0[.]230[.]185, 209[.]74[.]87[.]100, 143[.]198[.]5[.]41, 209[.]74[.]87[.]67
SHA1 Hashes: f4e0f4449dc50e33e912403082e093dd8e4bc55d, 3441306816018d08dd03a97ac306fac0200e9152, 9ca11fcbd75420bd7a578e8bf6ef855e7bd0fb8e, 06f3b55f0d66913cd53d2f0e76a5e2d67ff8ed04, 7bd04218276fc8f375c0ce3be43a710f6a2b4d09, 2f5166086da5a57d7e59a767a54ed6fe9a6db444, 8c592d9ab58264e68dfe029ea90f80862c526670, f779a3b1dcc0c3aacacf7ebfa4ed57d53af7e26c, 2993b0ab9786ddc29eb9cf1ace4a28c6e34ea4fb, e3cc95ca6e271ddf04cd88c85051b2cc9ce04e8e, 270dbaedfbeef9333e0780f3c4e74c01392ce381, d3fa50a9eba93a7fbc79e7ad0c4889d762718a5f, 392a36717fa948f7e00d35711e8598108fbe2f72, 62ed16701a14ce26314f2436d9532fe606c15407, ceb9b7dfb8a36ee8fe223063a6e3f730f2dcefd1, 88cb6169fd7dd21e6d6aa3a8df0a78938e698028, d0d7d0c816753639b5c577aacf14fd2e994b64b0, b55e063607e8f56c9b398b289ba04ddca11398fe, 5c1500296857ed0b0bb7230a1cb17993d25ab69b, f449b95830c584cef72dfb60fb78ee3d6c69ecb4, 3c47eab6ebe5b48097c0099ff18f2a8bc13c12f7, 324918c73b985875d5f974da3471f2a0a4874687, e21564fd0fc3103c1d18b1e1525a0b40e9077d40, feb4318a90057d92ea5ab6420ed6164dd9605013, 0365daf83e37d2c6daaae6c28b4c8343288ef2f9, 777040bed9d26f5da97e8977c6efc0586beae064, f5a129ba4141361ca266950dc4adcb2c548aa949, f77499a8fc6e615e21bf111a88c658ba3d5f0f81, dc785be0c4430bfc5b507255f892bf30134a02b6, e79ccc3f6517c911d6c1df79c94e88896f574e64, 2eea39dbe11889e5713cbca020f7ede653bc48ec, 975c763e050d0a9a46f0aafdde66d3e7f0626c5b, d97d21536c061e7a7151a453242d36f3ab196a14, 56380a652471962387693f4bcc893fd21f0fc324, 9defffba933fc44f8e3b6e25b31508bc17d29077, efb18cf7cf227037e034c0b525f502e642815f94, 0588cf26b6e9210f86a266ac0366af1fd29f135c, 80cea18e19665c5a57e7b9ca0bf36aad06096e93, 7d3757d5165e2e95b0b89e33316025a4b9301e2d, ac982b7b46e085e0bb51cba2edb61bff5910b6a8, 8632b62fa14fd679fa97cfe50e6c25696b846129, ea80deaed00c8b71aa0033b00fe0ef5b63840b99, 92e2f826804d762679b13283102f3560078eb4cb
Resource Development: T1587.001 – Develop Capabilities: Malware
Initial Access: T1566.001 – Phishing: Spear-phishing Attachment, T1190 – Exploit Public-Facing Application
Execution: T1204.002 – User Execution: Malicious File, T1059.001 – Command and Scripting Interpreter: PowerShell, T1059.003 – Windows Command Shell, T1106 – Native API
Persistence: T1547 – Boot or Logon Autostart Execution
Defense Evasion: T1140 – Deobfuscate/Decode Files or Information, T1620 – Reflective Code Loading, T1027.013 – Obfuscated Files or Information: Encrypted/Encoded File, T1497.001 – Virtualization/Sandbox Evasion: System Checks, T1036 – Masquerading
Discovery: T1082 – System Information Discovery, T1033 – System Owner/User Discovery
Credential Access: T1555 – Credentials from Password Stores
Collection: T1115 – Clipboard Data, T1005 – Data from Local System
Command and Control: T1071.001 – Application Layer Protocol: Web Protocols, T1102 – Web Service, T1219 – Remote Access Software, T1573 – Encrypted Channel, T1029 – Scheduled Transfer
Exfiltration: T1041 – Exfiltration Over C2 Channel
https://www.group-ib.com/blog/muddywater-operation-olalampo/
Get through updates and upcoming events, and more directly in your inbox