A new operation called Operation Olalampo has been launched by the Iranian APT group MuddyWater (aka Earth Vetala, Mango Sandstorm, and MUDDYCOAST) that targets both business and individual users primarily in the Middle East and North Africa (MENA) region since late January 2026.
According to Group-IB's research, the group is continuing to use the same techniques as before, when using spear phishing emails that contain malicious Microsoft Office files (usually Excel spreadsheets) as part of their infections; however, this time they are using new tools.
Malware families involved in the new operation include:
1. GhostFetch ; The GhostFetch downloader is the initial stage of the infection and profiles the target system by tracking mouse movements (motion), screen resolution (monitor size) and performing various checks to identify whether the target is running on a virtual machine (i.e. if you're using a virtual machine), has a debugger, or has an antivirus application installed. Once the GhostFetch downloader has completed its profile, it will download and execute further types of malware into memory.
2. GhostBackDoor ; The GhostBackDoor is the secondary stage of the infection and is the implant deployed by the GhostFetch downloader. The GhostBackDoor will allow the attacker to access the target system through an interactive shell, read and write files and also re-execute the GhostFetch downloader to deliver additional malware payloads.
3. HTTP_VIP ; Native downloader that performs reconnaissance, authenticates to C2 (codefusiontech[.]org), deploys legitimate AnyDesk for remote access, and (in newer variants) enables interactive shell, file transfer, clipboard capture, and beacon interval updates.
4. CHAR ; Rust-based backdoor controlled via Telegram bot (@stager_51_bot, first name "Olalampo"); executes cmd.exe/PowerShell commands, sets up SOCKS5 reverse proxies, uploads browser data, and runs additional executables (sh.exe, gshdoc_release_X64_GUI.exe).
Group-IB identified signs of AI-assisted development in CHAR , including emoji-laden debug strings , consistent with Google's earlier observations of MuddyWater experimenting with generative AI to accelerate custom malware creation (file transfer, remote execution).
CHAR shares structural and development similarities with BlackBeard (aka Archer RAT, RUSTRIC), another Rust-based implant previously attributed to MuddyWater in the Middle East.
Infection Patterns
1. Phishing email with macro-enabled Office document (Excel most common).
2. When a Victim turns on macros → a downloader (either GhostFetch or HTTP_VIP) is dropped onto their system.
3. The downloader will create an inventory of the system and then retrieve the second payload of the attack (either GhostBackDoor, AnyDesk, or CHAR).
4. Once the second payload is delivered, the final backdoor will establish persistence, C2 over HTTPS/Telegram, and allow for post-exploitation activities (creating a shell, executing file operations, establishing a SOCKS5 proxy).
There are many lures being used to target MENA-based victims such as making claims to be energy and marine service companies, fake flight ticket vouchers, and bogus reports.
Broader Context
The broader context of this activity suggests that MuddyWater is continuing to leverage new, publicly known, vulnerabilities in public-facing servers to gain initial access, is continuing to diversify their C2 (bots in Telegram, and via HTTPS), and is also implementing machine learning to automate the creation of new tooling/utilities. This group will continue to pose an active threat in the META (Middle East, Turkey and Africa), as they are targeting espionage and data theft.
Defensive Recommendations
1. Disable macros in Office documents received from untrusted sources through use of Group Policy / Protected View.
2. Monitor for suspicious macro-enabled attachments and PowerShell execution from Office applications.
3. Hunt for indicators of GhostFetch/HTTP_VIP (system profiling behavior, AnyDesk deployment from unusual sources).
4. Detect Telegram bot traffic or unusual HTTPS C2 patterns.
5. Patch public-facing servers aggressively and restrict internet exposure.
Source: The Hacker News
