Operation Olalampo Attack Campaign

The Iranian state-aligned threat group MuddyWater, also tracked as Earth Vetala, Mango Sandstorm, and MUDDYCOAST, has launched a new cyber campaign dubbed Operation Olalampo. The operation has primarily targeted organizations and individuals across the Middle East and North Africa (MENA) region.

First detected on January 26, 2026, the campaign introduces multiple new malware families while reusing components previously associated with the group. Security researchers report that the activity reflects a continuation of MuddyWater's established operational patterns, reinforcing its persistent presence across the META region (Middle East, Turkey, and Africa).

Infection Vectors and Attack Chains

The campaign follows a familiar intrusion methodology consistent with earlier MuddyWater operations. Initial access typically begins with spear-phishing emails containing malicious Microsoft Office attachments. These documents embed macro code designed to decode and execute payloads on the victim's system, ultimately granting remote control to the attackers.

Several attack variations have been observed:

• A malicious Microsoft Excel document prompts victims to enable macros, triggering the deployment of the Rust-based backdoor CHAR.
• A related variant delivers the GhostFetch downloader, which subsequently installs the GhostBackDoor implant.
• A third infection chain uses themed lures such as flight tickets or operational reports, rather than impersonating a Middle Eastern energy and marine services company, to distribute the HTTP_VIP downloader. This variant ultimately installs the AnyDesk remote desktop application for persistent access.

Additionally, the group has been observed exploiting newly disclosed vulnerabilities in internet-facing servers to gain initial access to targeted environments.

Malware Arsenal: Custom Tooling and Modular Implants

Operation Olalampo relies on a structured, multi-stage malware ecosystem designed for reconnaissance, persistence, and remote control. The primary tools identified in this campaign include:

GhostFetch – A first-stage downloader that profiles compromised systems by validating mouse movement and screen resolution, detecting debugging tools, identifying virtual machine artifacts, and checking for antivirus software. It retrieves and executes secondary payloads directly in memory.

GhostBackDoor – A second-stage implant delivered by GhostFetch. It enables interactive shell access, file read/write operations, and can re-initiate GhostFetch.

HTTP_VIP – A native downloader that performs system reconnaissance and connects to the external domain "codefusiontech(dot)org" for authentication. It deploys AnyDesk from a command-and-control (C2) server. A newer version enhances functionality with victim data collection, interactive shell execution, file transfers, clipboard capture, and configurable beaconing intervals.

CHAR – A Rust-based backdoor controlled through a Telegram bot identified as 'Olalampo' (username: stager_51_bot). It supports directory navigation and execution of cmd.exe or PowerShell commands.

The PowerShell functionality associated with CHAR enables execution of a SOCKS5 reverse proxy or an additional backdoor named Kalim. It also facilitates browser data exfiltration and launches executables labeled 'sh.exe' and 'gshdoc_release_X64_GUI.exe.'

AI-Assisted Development and Code Overlap

Technical analysis of CHAR's source code revealed indicators of artificial intelligence-assisted development. The presence of emojis within debug strings aligns with prior findings disclosed by Google, which reported that MuddyWater has been experimenting with generative AI tools to enhance malware development, particularly for file transfer and remote execution capabilities.

Further analysis shows structural and environmental similarities between CHAR and the Rust-based malware BlackBeard, also known as Archer RAT or RUSTRIC, previously deployed by the group against Middle Eastern entities. These overlaps suggest shared development pipelines and iterative refinement of tooling.

Expanding Capabilities and Strategic Intent

MuddyWater remains a persistent and evolving threat actor within the META region. The integration of AI-assisted development, continued refinement of bespoke malware, exploitation of public-facing vulnerabilities, and the diversification of C2 infrastructure collectively demonstrate a long-term commitment to operational expansion.

Operation Olalampo underscores the group's sustained focus on MENA-based targets and highlights the increasing sophistication of its intrusion capabilities. Organizations operating in the region should maintain heightened vigilance, enforce macro restrictions, monitor outbound Command-and-Control (C2) communications, and prioritize timely vulnerability remediation to mitigate exposure to this evolving threat landscape.