The Iranian hacking group known as MuddyWater (aka Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has actively targeted several organizations and individuals across the Middle East and North Africa (MENA) region as part of a new campaign dubbed Operation Olalampo.
Notably, researchers first observed the activity on January 26, 2026. The campaign introduced new malware families that share overlapping samples previously attributed to the threat actor, according to a report released by Group-IB. Specifically, the toolkit includes downloaders such as GhostFetch and HTTP_VIP, alongside a Rust backdoor named CHAR and an advanced implant called GhostBackDoor, which GhostFetch deploys.
“These attacks follow similar patterns and align with the killchains previously observed in MuddyWater attacks; starting with a phishing email with a Microsoft Office document attached to it that contains malicious macro code that decodes the embedded payload and drops it on the system and executes it, providing the adversary with remote control of the system,” the company said.
For example, one attack chain uses a malicious Microsoft Excel document that prompts users to enable macros, thereby triggering the infection and ultimately deploying CHAR.
Similarly, another variant of the campaign delivers the GhostFetch downloader, which subsequently installs GhostBackDoor.
Meanwhile, a third version leverages lures themed around flight tickets and reports rather than impersonating an energy and marine services company in the Middle East. Through this approach, the attackers distribute the HTTP_VIP downloader, which then deploys the AnyDesk remote desktop software.
Technical Breakdown of the Toolset
A brief description of the four primary tools follows:
- GhostFetch: A first-stage downloader that profiles the system, validates mouse movements, checks screen resolution, detects debuggers and virtual machine artifacts, scans for antivirus software, and fetches and executes secondary payloads directly in memory.
- GhostBackDoor: A second-stage backdoor delivered via GhostFetch that supports an interactive shell, file read/write operations, and the ability to re-run GhostFetch.
- HTTP_VIP: A native downloader that performs system reconnaissance, connects to an external server (“codefusiontech[.]org”) for authentication, and deploys AnyDesk from the C2 server. Additionally, a newer variant retrieves victim information, executes interactive shell commands, uploads and downloads files, captures clipboard contents, and modifies the sleep/beaconing interval.
- CHAR: A Rust-based backdoor controlled through a Telegram bot (first name “Olalampo,” username “stager_51_bot”) that enables directory changes and executes cmd.exe or PowerShell commands.
Advanced Capabilities and AI Experimentation
Subsequently, attackers use a PowerShell command to establish a SOCKS5 reverse proxy or execute another backdoor named Kalim. The command also uploads data stolen from web browsers and runs unknown executables labeled “sh.exe” and “gshdoc_release_X64_GUI.exe.”
Furthermore, Group-IB analysts identified signs of AI-assisted development in CHAR’s source code, particularly due to emojis embedded in debug strings. This discovery aligns with earlier findings from Google, which revealed that the threat actor has experimented with generative AI tools to support the development of custom malware designed for file transfer and remote execution.
Links to Previous Malware and Ongoing Exploitation
In addition, CHAR shares structural similarities and a comparable development environment with the Rust-based malware BlackBeard (aka Archer RAT and RUSTRIC). Previously, CloudSEK and Seqrite Labs linked that malware to MuddyWater’s operations targeting various entities in the Middle East.
At the same time, MuddyWater has exploited recently disclosed vulnerabilities in public-facing servers to gain initial access to targeted networks.
“The MuddyWater APT group remains an active threat within the META [Middle East, Turkey, and Africa] region, with this operation primarily targeting organizations in the MENA region,” Group-IB concluded. “The group’s continued adoption of AI technology, combined with continued development of custom malware and tooling and diversified command-and-control (C2) infrastructures, underscores their dedication and intent to expand their operations.”
Source: TheHackerNews
Read more at Impreza News
