The Iranian cyber threat group known as MuddyWater, also identified as Earth Vetala, Mango Sandstorm, and MUDDYCOAST, has launched a series of cyber attacks targeting entities and individuals in the Middle East and North Africa (MENA). This new wave of attacks, termed Operation Olalampo, began on January 26, 2026, and employs sophisticated malware to infiltrate and control systems within the region.
New Malware Deployment in Operation Olalampo
According to a report by Group-IB, MuddyWater has introduced several new malware families that exhibit similarities to previous tools employed by the group. These include initial access tools like GhostFetch and HTTP_VIP, a Rust-based backdoor known as CHAR, and an advanced implant called GhostBackDoor, which is delivered by GhostFetch. These tools enable the attackers to gain persistent access and control over compromised systems.
Phishing Attacks and Malware Capabilities
The attack strategy often starts with phishing emails containing Microsoft Office documents with malicious macros. These macros decode and execute embedded payloads, granting remote control over the victim’s system. One variant involves a malicious Excel document that, once macros are enabled, deploys the CHAR backdoor. Another approach uses themes such as flight tickets to trick users into deploying the HTTP_VIP downloader, which subsequently installs AnyDesk software for remote system access.
Technical Insights into Malware Functionality
GhostFetch acts as a first-stage downloader, conducting system profiling and executing secondary payloads in memory. GhostBackDoor, deployed by GhostFetch, offers functionalities such as file operations and system control. HTTP_VIP, another downloader, performs system reconnaissance and communicates with external servers to deploy AnyDesk and retrieve further instructions. CHAR, a Rust-based backdoor, is controlled via a Telegram bot and can execute various commands, establish proxies, and upload stolen data.
Group-IB’s analysis highlighted the use of artificial intelligence (AI) in the development of CHAR, evidenced by unique debug strings. This aligns with previous findings from Google indicating MuddyWater’s experimentation with generative AI to craft custom malware solutions.
Implications and Future Outlook
MuddyWater’s campaign underscores the persistent threat they pose in the META region, particularly within the MENA area. Their integration of AI in malware development and exploitation of new vulnerabilities marks a significant evolution in their tactics. As they continue to enhance their capabilities and infrastructure, organizations in the region must bolster their cybersecurity measures to defend against these advanced threats.
