-
Iran’s MuddyWater launched Operation Olalampo on January 26, 2026, targeting organizations across the Middle East and North Africa.
-
Group-IB linked phishing emails carrying malicious Office macros to four new malware families: GhostFetch, GhostBackDoor, HTTP_VIP, and a Rust backdoor called CHAR.
-
Researchers found signs of AI-assisted development inside CHAR’s source code, pointing to MuddyWater’s growing use of generative AI in building custom tools.
Iran’s MuddyWater hacking group has launched a fresh wave of cyberattacks across the Middle East and North Africa, and researchers are only now uncovering just how sophisticated the operation has become.
Group-IB published a report exposing the campaign, which MuddyWater, also tracked as Earth Vetala, Mango Sandstorm, and MUDDYCOAST, kicked off on January 26, 2026. Investigators named it Operation Olalampo, and its targets include organizations and individuals spread across the MENA region.
Phishing Emails Deliver the Opening Blow
MuddyWater built this campaign around a familiar but effective weapon: phishing. The group sent emails carrying malicious Microsoft Office documents loaded with macro code. Once a victim enabled those macros, the document decoded its embedded payload, dropped it onto the system, and handed the attackers full remote control.
Group-IB described the pattern clearly: “These attacks have identical patterns and match the killchains observed before in MuddyWater hits; beginning with a phishing mail with a Microsoft Office document attached to it that contains fishy macro code that breaks down the embedded payload and deploys it on the system and executes it, providing the adversary with remote control of the system.”
The group ran at least three variations of this attack. One used a malicious Microsoft Excel document that pushed users to enable macros, ultimately dropping the CHAR backdoor onto the machine. A second variant deployed GhostFetch, a downloader that then pulled down a second-stage implant called GhostBackDoor.
A third version used lures themed around flight tickets and reports, a notable contrast to decoys mimicking a Middle Eastern energy and marine services company to distribute the HTTP_VIP downloader, which then installed AnyDesk remote desktop software on the victim’s machine.
These sophisticated phishing campaigns operate alongside a broader wave of cybercrime across Africa, a wave that recently led to 574 arrests in an Interpol-coordinated sweep targeting fraud and dark web activities, showing that the continent is both a target and a battleground in the global fight against cyber threats.
Four New Malware Tools Power the Campaign
Operation Olalampo introduced four distinct malware families, each playing a specific role in the attack chain.
GhostFetch operates as a first-stage downloader. It profiles the infected system, checks for mouse movements and screen resolution, scans for debuggers, virtual machine artifacts, and antivirus software, then fetches and runs secondary payloads directly in memory, leaving minimal traces behind.
GhostBackDoor follows GhostFetch into the system as a second-stage backdoor. It supports an interactive shell, reads and writes files, and can re-launch GhostFetch if needed, giving attackers persistent, layered access.
HTTP_VIP works as a native download-driver that carries out system reconnaissance and links to an external server to authenticate before deploying AnyDesk from the command-and-control server. A newer variant of HTTP_VIP goes further; it retrieves victim information, opens an interactive shell, downloads and uploads files, captures clipboard contents, and adjusts its own beaconing interval to avoid detection.
CHAR is perhaps the most striking of the four. Built in the Rust programming language, CHAR takes its instructions from a Telegram bot whose first name is “Olalampo” and username is “stager_51_bot.” Through that bot, attackers can change directories and run cmd.exe or PowerShell commands remotely.
Those commands can activate a SOCKS5 reverse proxy, deploy another backdoor called Kalim, steal browser data, or execute unknown files labeled “sh.exe” and “gshdoc_release_X64_GUI.exe.”
While MuddyWater uses Telegram bots for malware control, other criminals use the platform differently, to run romance scams that surge around Valentine’s Day, building fake relationships that end in financial ruin rather than remote code execution.
AI is Now Part of MuddyWater’s Arsenal
Group-IB’s deep dive into CHAR’s source code turned up something that raised eyebrows — emojis scattered throughout the debug strings. That kind of pattern strongly suggests AI-assisted development, and it lines up directly with Google’s earlier findings that MuddyWater has been experimenting with generative AI tools to build custom malware supporting file transfer and remote execution.
Researchers also noted that CHAR shares structural similarities and a development environment with BlackBeard, a Rust-based malware also known as Archer RAT and RUSTRIC, which CloudSEK and Seqrite Labs previously flagged as another MuddyWater tool used against Middle Eastern targets.
Group-IB closed its report with a stark assessment: “The MuddyWater APT group remains an active threat within the META region, with this operation primarily targeting organizations in the MENA region.
The group’s continued adoption of AI technology, combined with continued development of custom malware and tooling and diversified command-and-control infrastructures, underscores their dedication and intent to expand their operations.”
MuddyWater’s ability to blend familiar phishing tactics with newly developed, AI-assisted malware signals a threat actor that is not standing still and one that organizations across the region cannot afford to ignore.
