MuddyWater’s Operation Olalampo: GhostFetch, CHAR and HTTP_VIP Expand Iranian Cyber Espionage in MENA
- Javier Conejo del Cerro
- hace 2 días
- 3 Min. de lectura
The Iranian state-aligned APT group MuddyWater (also tracked as Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has launched a new campaign dubbed Operation Olalampo, first observed on January 26, 2026, targeting organizations and individuals across the Middle East and North Africa (MENA).
The campaign introduces updated and newly observed malware families — GhostFetch, GhostBackDoor, HTTP_VIP, and a Rust-based backdoor named CHAR — reinforcing MuddyWater’s long-standing espionage tradecraft. The activity reflects operational continuity, evolving tooling, diversified command-and-control (C2) infrastructure, and signs of AI-assisted malware development.
Phase 1: Initial Access – Phishing & Public-Facing Exploits
The attack chains begin primarily with phishing emails delivering malicious Microsoft Office documents.
Victims are prompted to enable macros, triggering embedded malicious code that:
Decodes and drops payloads
Executes malware on the system
Establishes remote access
In parallel, MuddyWater has also been observed exploiting recently disclosed vulnerabilities on public-facing servers to gain initial access — maintaining flexibility between social engineering and opportunistic exploitation.
The phishing lures vary. Observed themes include:
Flight tickets
Corporate reports
Energy and marine services company impersonation
These contextualized lures are consistent with MuddyWater’s history of regionally tailored spear-phishing.
Phase 2: First-Stage Downloaders – GhostFetch & HTTP_VIP
Once execution is triggered, the infection chain branches into distinct tooling paths.
GhostFetch
GhostFetch acts as a first-stage downloader and performs:
System profiling
Mouse movement validation
Screen resolution checks
Anti-debugger and anti-VM checks
Antivirus detection
It retrieves and executes secondary payloads directly in memory, reducing disk artifacts and forensic visibility.
GhostFetch ultimately drops GhostBackDoor, escalating persistence and remote access.
HTTP_VIP
HTTP_VIP is another downloader variant that:
Performs system reconnaissance
Authenticates to external infrastructure (e.g., codefusiontech[.]org)
Deploys AnyDesk from attacker-controlled C2 servers
Newer variants extend capabilities to:
Retrieve victim information
Launch interactive shells
Upload/download files
Capture clipboard contents
Modify sleep/beacon intervals
This flexibility reflects adaptive command structures rather than static implants.
Phase 3: Persistent Access – GhostBackDoor & CHAR
GhostBackDoor
Delivered by GhostFetch, GhostBackDoor provides:
Interactive shell access
File read/write operations
Capability to re-execute GhostFetch
This layered approach ensures operational redundancy.
CHAR – The Rust Backdoor
CHAR represents a more advanced component in the toolset.
It is:
Written in Rust
Controlled via a Telegram bot (stager_51_bot, first name: “Olalampo”)
Capable of executing cmd.exe or PowerShell commands
Able to change directories and run arbitrary shell instructions
The PowerShell commands can:
Deploy a SOCKS5 reverse proxy
Launch an additional backdoor named Kalim
Exfiltrate browser-stored data
Execute unknown binaries such as sh.exe and gshdoc_release_X64_GUI.exe
Notably, Group-IB identified AI-assisted development indicators within CHAR’s source code, including emoji debug strings — aligning with prior disclosures that MuddyWater has experimented with generative AI tools to accelerate malware development.
CHAR also shares structural similarities with another Rust implant previously attributed to the group: BlackBeard (Archer RAT / RUSTRIC).
Phase 4: Command & Control and Operational Discipline
The campaign uses diversified C2 infrastructure and multiple communication paths:
HTTP-based infrastructure
Telegram bot control
Memory-resident execution
SOCKS5 proxy pivoting
The use of AnyDesk introduces legitimate remote administration software (RMM) abuse into the kill chain — blending malicious control with authorized-looking activity.
MuddyWater’s approach emphasizes:
Redundancy in tooling
Memory-based payload delivery
Multi-stage loaders
Flexible remote control
Infrastructure recycling
This reflects a mature espionage operation focused on persistence and long-term intelligence collection rather than smash-and-grab monetization.
Victim Profile
The operation primarily targets:
Organizations across MENA
Government-linked entities
Corporate and strategic regional sectors
Individuals of intelligence value
The targeting aligns with MuddyWater’s historical footprint in META (Middle East, Turkey, Africa), reinforcing its strategic geopolitical focus.
Measures to Fend Off Operation Olalampo
To mitigate MuddyWater-style campaigns:
Disable Microsoft Office macros by default
Harden email gateways against malicious attachments
Monitor suspicious AnyDesk deployment or remote session abuse
Detect Rust-based implants and anomalous PowerShell execution
Inspect outbound connections to unknown infrastructure
Monitor Telegram-based C2 traffic patterns
Detect memory-resident payload execution
Patch public-facing servers promptly
Monitor SOCKS5 reverse proxy behavior
Deploy behavioral EDR capable of detecting macro-to-loader chains
Proactive telemetry and anomaly detection remain essential against modular APT tooling.
Operation Olalampo demonstrates that MuddyWater remains an active and evolving threat actor within the MENA region.
The campaign does not rely on novel zero-days. Instead, it showcases:
Mature multi-stage infection chains
Adaptive downloader frameworks
Rust-based backdoors
Telegram-controlled implants
AI-assisted development experimentation
Diversified C2 infrastructure
This is not opportunistic cybercrime.
It is sustained geopolitical cyber espionage.
The continued blending of traditional phishing tradecraft with modern tooling, Rust implants, and generative AI experimentation signals an actor committed to long-term operational resilience.
MuddyWater is not reinventing the playbook.
It is refining it.
The Hacker News
Comentarios