MuddyWater has launched a new cyber campaign, Operation Olalampo, targeting organizations across the Middle East and North Africa (MENA). The operation leverages advanced custom malware families, including GhostFetch, GhostBackDoor, HTTP_VIP, and the Rust-based CHAR backdoor, combined with phishing-based initial access techniques.
To enhance evasion and operational agility, the campaign employs malicious Microsoft Office documents, in-memory payload execution, Telegram-based command-and-control (C2) channels, and abuse of legitimate remote administration tools such as AnyDesk. Indicators of AI-assisted development techniques further suggest efforts to accelerate tooling evolution and improve evasion capabilities.
The campaign reinforces MuddyWater’s continued intent to compromise regional government and enterprise networks, demonstrating diversified C2 infrastructure, persistent remote access mechanisms, and evolving malware sophistication. These developments highlight the urgent need for strengthened email security, endpoint monitoring, and proactive vulnerability management controls across MENA organizations.
Operation Olalampo follows a multi-phase infection chain initiated through spear-phishing emails delivering weaponized Microsoft Office documents. These documents require macro execution to decode and release initial payloads. Depending on the campaign variant, the macro either deploys the Rust-based CHAR backdoor directly or installs GhostFetch or HTTP_VIP downloaders.
To evade disk-based detection, GhostFetch executes secondary payloads such as GhostBackDoor entirely in memory. It also performs environmental profiling, including mouse movement validation, screen resolution checks, and detection of debuggers, virtual machines, and antivirus solutions.
HTTP_VIP establishes authenticated communication with remote C2 infrastructure, deploys legitimate remote access tools such as AnyDesk, and conducts host reconnaissance. Recent iterations expand functionality to include file transfer, clipboard capture, interactive shell access, and configurable beacon intervals.
The Rust-based CHAR backdoor demonstrates modular architecture and anti-analysis controls. Leveraging Telegram bot-based C2 communications, it enables command execution, directory traversal, data exfiltration, SOCKS5 proxy deployment, and secondary payload delivery. These capabilities reflect increasing operational sophistication and dynamic tasking flexibility. Further technical details of the campaign are outlined below.
MuddyWater primarily initiates Operation Olalampo through spear-phishing emails containing malicious Microsoft Office attachments, particularly Excel documents. To enhance credibility, phishing lures reference regionally relevant themes such as corporate reports, airline itineraries, and energy-sector communications.
Victims are prompted to enable macros, which decode embedded payloads and execute them locally. Beyond email-based intrusion, the group has also exploited newly disclosed vulnerabilities in internet-facing servers to obtain initial access.
The infection chain has been identified as follows:
Operation Olalampo showcases a modular and evasive malware architecture engineered to ensure stealth, adaptability, and long-term persistence. Initial loaders GhostFetch and HTTP_VIP conduct extensive system reconnaissance, including environment fingerprinting, screen resolution validation, mouse activity monitoring, and detection of debugging tools, virtual machines, and antivirus software.
To minimize disk artifacts and evade signature-based detection, payloads are frequently executed directly in memory. GhostFetch retrieves secondary implants such as GhostBackDoor, which facilitates interactive shell access, file manipulation, and re-execution of earlier infection stages.
HTTP_VIP authenticates with C2 infrastructure and may deploy legitimate remote administration tools such as AnyDesk to blend malicious activity with authorized administrative traffic.
The Rust-based CHAR backdoor further enhances operational capabilities via Telegram bot-based C2 communications. It enables execution of PowerShell and cmd.exe commands, SOCKS5 reverse proxy creation, browser credential exfiltration, file upload and download, and execution of additional payloads. Adjustable beacon intervals and dynamic tasking allow flexible post-exploitation operations.
The toolkit’s sophistication is further evidenced by anti-analysis mechanisms, diversified C2 channels (HTTP and Telegram), modular payload distribution, and indications of AI-assisted development practices designed to accelerate code generation and enhance evasion techniques.
Operation Olalampo is attributed to MuddyWater, also tracked as Earth Vetala, Mango Sandstorm, and MUDDYCOAST. The campaign demonstrates continuity with previously observed tactics, techniques, and procedures (TTPs), including macro-enabled phishing and deployment of custom backdoors.
The CHAR malware shares structural similarities with earlier Rust-based malware families associated with the group, indicating evolutionary codebase development. Indicators of AI-assisted development, including structured debug artifacts and distinctive coding patterns, suggest experimentation with generative AI tools to accelerate malware customization and operational deployment.
Activity observed since January 2026 indicates primary targeting of organizations within the Middle East and North Africa (MENA), including government agencies, regional enterprises, and energy and marine service providers.
The group’s sustained focus on the Middle East, Turkey, and Africa (META) region aligns with historical targeting patterns consistent with Iranian geopolitical and strategic interests. The use of diversified infrastructure and varied phishing themes suggests a continuous, adaptive campaign rather than isolated intrusion attempts.
Operation Olalampo illustrates MuddyWater’s continued operational maturation through the integration of traditional phishing techniques with Rust-based malware, memory-resident execution, Telegram-based C2 channels, and AI-assisted development methodologies.
The campaign underscores the necessity for strengthened macro controls, advanced endpoint detection, proactive vulnerability management, and rigorous monitoring of remote administration tool misuse across MENA enterprises.
A successful compromise enables full remote control of affected systems, including command execution, credential harvesting, data exfiltration, and potential lateral movement across organizational networks.
The abuse of legitimate administrative tools complicates detection efforts and enhances operational stealth. The malware’s modular design supports dynamic payload updates and sustained persistence, increasing the risk of espionage, operational disruption, and prolonged network compromise.
https://www.group-ib.com/blog/muddywater-operation-olalampo/
