Full Report
The Iranian hacking group known as MuddyWater (aka Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has targeted several organizations and individuals mainly located across the Middle East and North Africa (MENA) region as part of a new campaign codenamed Operation Olalampo. The activity, first observed on January 26, 2026, has resulted in the deployment of new malware families that share
Analysis Summary
# Threat Actor: MuddyWater
## Attribution & Identity
**Attribution:** Iranian hacking group.
**Aliases:** Earth Vetala, Mango Sandstorm, MUDDYCOAST.
**Known Associations:** Shares development characteristics (Rust-based malware structure) with the malware BlackBeard (aka Archer RAT and RUSTRIC).
## Activity Summary
MuddyWater is currently engaged in **Operation Olalampo**, a new campaign first observed on January 26, 2026. This operation involves deploying newly developed malware families that show overlap with previous tools used by the actor. The attacks follow established MuddyWater killchains, often starting with phishing emails containing malicious Microsoft Office documents designed to enable macros and execute embedded payloads for remote control.
## Tactics, Techniques & Procedures
- **Initial Access:** Phishing emails delivering Microsoft Office documents containing malicious macro code. Also observed exploiting recently disclosed vulnerabilities on public-facing servers.
- **Execution:** Malicious macros decode the embedded payload and execute it.
- **Defense Evasion/System Profiling (GhostFetch):** System profiling, validation checks (mouse movements, screen resolution), checking for debuggers, virtual machine artifacts, and antivirus software.
- **Persistence/C2:** Utilizing a Rust backdoor (CHAR) controlled via a Telegram bot.
- **T1059 (Command and Scripting Interpreter):** CHAR executes `cmd.exe` or PowerShell commands, including running a SOCKS5 reverse proxy or executing unknown executables ("sh.exe" and "gshdoc\_release\_X64\_GUI.exe").
- **Data Staging (CHAR):** Uploading data stolen from web browsers.
- **Development Trend:** Evidence in CHAR's source code suggests the use of Artificial Intelligence (AI)-assisted development (e.g., emojis in debug strings).
## Targeting
- **Sectors:** Various organizations and individuals (Specific sectors not detailed, but implied corporate targets based on lure themes).
- **Geography:** Primarily organizations located across the Middle East and North Africa (MENA) region.
- **Victims:** Several organizations and individuals in the MENA region targeted during Operation Olalampo.
## Tools & Infrastructure
- **Malware Families Used:**
* **GhostFetch:** First-stage downloader that executes secondary payloads directly in memory after system profiling.
* **GhostBackDoor:** Second-stage backdoor dropped by GhostFetch; supports interactive shell, file read/write, and re-running GhostFetch.
* **HTTP\_VIP:** Native downloader used to authenticate and deploy AnyDesk. A new variant adds capabilities to retrieve victim information, start an interactive shell, file transfer, clipboard capture, and modify beaconing intervals.
* **CHAR:** A Rust backdoor controlled via a Telegram bot named "Olalampo" (username "stager\_51\_bot").
* **AnyDesk:** Deployed by HTTP\_VIP for remote control.
* **Kalim:** Potentially executed via CHAR's PowerShell commands (noted as a SOCKS5 reverse proxy or another backdoor).
- **Infrastructure (C2):**
* **codefusiontech[.]org** (Used by HTTP\_VIP for authentication and downloading AnyDesk).
* **Telegram Bot:** Used to control the CHAR backdoor.
## Implications
MuddyWater remains a highly active threat actor specifically focused on the META/MENA region. Their continued adoption of modern techniques, including the experimentation and implementation of AI tools for malware development (as seen with CHAR), suggests an increased capability to produce custom and adaptive tools, posing an evolving threat to regional targets.
## Mitigations
- Enhance detection capabilities for malicious macros embedded in Microsoft Office documents.
- Implement strict controls or monitoring for the execution of specific system commands via PowerShell instigated by documents.
- Monitor outgoing network traffic for connections to known attacker infrastructure (e.g., codefusiontech[.]org).
- Maintain updated patches for public-facing servers to counter exploitation-based initial access methods.
- Investigate anomalous activity related to Telegram integrations that could be used to control internal systems (via CHAR).