MuddyWater's 'Operation Olalampo' Targets MENA

Executive Summary

A new campaign, codenamed Operation Olalampo, has been attributed to the Iranian advanced persistent threat (APT) group MuddyWater (also tracked as Earth Vetala, Mango Sandstorm). Observed since January 26, 2026, the operation targets organizations and individuals across the Middle East and North Africa (MENA) region. The adversary is deploying a new toolkit of custom malware, including downloaders and backdoors, some of which exhibit signs of AI-assisted development. The primary initial access vector remains phishing emails with malicious attachments.

Key Findings

Threat Actor and Targeting

The activity is attributed to the Iranian state-sponsored group MuddyWater. The campaign is highly focused on the MENA region, with phishing lures mimicking legitimate entities such as an energy and marine services company in the Middle East.

Initial Access Vectors

The primary infection vector is spear-phishing emails containing malicious Microsoft Office documents. These documents prompt the target to enable macros, which triggers the infection chain. The threat actor has also been observed exploiting recently disclosed vulnerabilities on public-facing servers for initial access.

New Malware Deployed

This campaign leverages several new malware families:

GhostFetch Downloader

A first-stage downloader designed for reconnaissance and payload delivery. It profiles the victim system, validates mouse movements and screen resolution, and checks for debuggers, virtual machine artifacts, and antivirus software before fetching and executing second-stage payloads directly in memory.

GhostBackDoor Implant

A second-stage backdoor delivered by GhostFetch. It provides the adversary with an interactive shell, file read/write capabilities, and the ability to re-execute the GhostFetch downloader.

HTTP_VIP Downloader

A native downloader that performs system reconnaissance and connects to a C2 server (codefusiontech[.]org) to authenticate and deploy AnyDesk remote desktop software. An updated variant adds capabilities to retrieve victim information, start an interactive shell, download/upload files, capture clipboard contents, and modify its C2 beaconing interval.

CHAR Backdoor

A Rust-based backdoor controlled via a Telegram bot. Its capabilities include changing directories and executing commands via cmd.exe or PowerShell. The PowerShell functionality is used to execute a SOCKS5 reverse proxy, deploy another backdoor named Kalim, exfiltrate data from web browsers, and run additional executables.

AI-Assisted Malware Development

Analysis of the CHAR backdoor's source code revealed emojis in debug strings, an indicator of AI-assisted development. This finding aligns with previous intelligence from Google noting MuddyWater's experimentation with generative AI tools for creating custom malware to support file transfer and remote execution.

Command and Control Infrastructure

The adversary is utilizing diversified C2 channels. The HTTP_VIP malware communicates with the hardcoded domain codefusiontech[.]org. The CHAR backdoor is controlled via a Telegram bot identified by the first name "Olalampo" and username "stager_51_bot".

Impact Analysis

The deployment of backdoors like GhostBackDoor and CHAR, along with remote access software like AnyDesk, provides the threat actor with persistent remote control over compromised systems. The malware capabilities indicate objectives including system reconnaissance, command execution, and data exfiltration, posing a significant espionage threat to targeted entities.

Mitigations & Recommendations

• Phishing Defense: Enhance email filtering to block malicious attachments and links. Conduct continuous user awareness training on identifying and reporting phishing attempts.
• Disable Macros: Enforce policies to disable Microsoft Office macros from documents downloaded from the internet.
• Endpoint Detection & Response (EDR): Deploy and monitor EDR solutions to detect and block suspicious process execution, particularly PowerShell commands originating from Office applications.
• Network Egress Filtering: Restrict and monitor outbound network traffic to detect and block C2 communications to known malicious domains like codefusiontech[.]org and unusual connections to services like Telegram.
• Vulnerability Management: Maintain a robust patch management program to remediate vulnerabilities on public-facing servers, mitigating a key initial access vector for this actor.