The Iranian hacking group referred to as MuddyWater (aka Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has focused a number of organizations and people primarily situated throughout the Center East and North Africa (MENA) area as a part of a brand new marketing campaign codenamed Operation Olalampo.
The exercise, first noticed on January 26, 2026, has resulted within the deployment of recent malware households that share overlapping samples beforehand recognized as utilized by the menace actor, in line with a report printed by Group-IB. These embrace downloaders like GhostFetch and HTTP_VIP, together with a Rust backdoor known as CHAR and a complicated implant codenamed GhostBackDoor that is dropped by GhostFetch.
“These assaults comply with comparable patterns and align with the killchains beforehand noticed in MuddyWater assaults; beginning with a phishing e-mail with a Microsoft Workplace doc connected to it that accommodates malicious macro code that decodes the embedded payload and drops it on the system and executes it, offering the adversary with distant management of the system,” the corporate stated.
One such assault chain using a malicious Microsoft Excel doc prompts customers to allow macros with a view to activate the an infection and finally drop CHAR. One other variant of the identical assault has been discovered to result in the deployment of the GhostFetch downloader, which then downloads GhostBackDoor.
A 3rd model of the assault leverages themes corresponding to flight tickets and studies, in distinction to utilizing lures mimicking an vitality and marine providers firm within the Center East, to distribute the HTTP_VIP downloader that subsequently deploys the AnyDesk distant desktop software program.
A quick description of the 4 instruments is as follows –
- GhostFetch, a first-stage downloader that profiles the system, validates mouse actions and checks display screen decision, checks for the presence of debuggers, digital machine artifacts, and antivirus software program, and fetches and executes secondary payloads immediately in reminiscence.
- GhostBackDoor, a second-stage backdoor delivered by GhostFetch that helps an interactive shell, file learn/write, and re-run GhostFetch.
- HTTP_VIP, a local downloader that conducts system reconnaissance, connects to an exterior server (“codefusiontech[.]org”) to authenticate and deploy AnyDesk from the C2 server. A brand new variant of the malware additionally provides the flexibility to retrieve sufferer info and retrieve directions to begin an interactive shell, obtain/add recordsdata, seize clipboard contents, and replace the sleep/beaconing interval.
- CHAR, a Rust backdoor that is managed by a Telegram bot (whose first identify is “Olalampo” and username is “stager_51_bot”) to alter listing and execute a cmd.exe or PowerShell command.
The PowerShell command is designed to execute a SOCKS5 reverse proxy or one other backdoor named Kalim, add information stolen from net browsers, and run unknown executables known as “sh.exe” and “gshdoc_release_X64_GUI.exe.”
Group-IB’s evaluation of CHAR’s supply code has revealed indicators of synthetic intelligence (AI)-assisted improvement owing to the presence of emojis in debug strings, a discovering that is per Google’s revelations final 12 months that the menace actor is experimenting with generative AI instruments to assist the event of customized malware to assist file switch and distant execution.
One other notable side is that CHAR shares an analogous construction and improvement surroundings because the Rust-based malware BlackBeard (aka Archer RAT and RUSTRIC), which was flagged by CloudSEK and Seqrite Labs as put to make use of by the menace actor to focus on varied entities within the Center East.
MuddyWater has additionally been noticed exploiting just lately disclosed vulnerabilities on public-facing servers as a technique to get hold of preliminary entry to focus on networks.
“The MuddyWater APT group stays an lively menace inside the META [Middle East, Turkey, and Africa] area, with this operation primarily concentrating on organizations within the MENA area,” Group-IB concluded. “The group’s continued adoption of AI expertise, mixed with continued improvement of customized malware and tooling and diversified command-and-control (C2) infrastructures, underscores their dedication and intent to develop their operations.”
