Threats Feed

Operation Olalampo is a new cyber campaign by the Iranian threat group MuddyWater, targeting organizations primarily across the MENA region. Aligning with ongoing geopolitical tensions, the attacks focus on energy and marine services, system integrators, and specific individuals of interest. The adversary gains initial access by exploiting vulnerabilities on public-facing servers and distributing macro-enabled phishing documents. This campaign introduces four novel malware variants: GhostFetch, HTTP_VIP, GhostBackDoor, and a Rust-based backdoor named CHAR. Notably, CHAR leverages a Telegram bot for command-and-control and exhibits evidence of AI-assisted development. Post-exploitation activities include local reconnaissance, credential theft, and the deployment of legitimate tools like AnyDesk. Infrastructure analysis also reveals overlap with MuddyWater’s historical operations from late 2025.

The RedKitten campaign, observed in early 2026, targets Iranian interests, specifically NGOs and individuals documenting human rights abuses during the "Dey 1404" protests. Assessing the actor as Iranian state-aligned, researchers identified "SloppyMIO," a modular .NET implant likely developed with AI assistance. The attack chain utilizes spearphishing with "shock lures" regarding execution lists to deliver malware via AppDomainManager injection. The threat actor leverages legitimate infrastructure, using GitHub as a Dead Drop Resolver for steganographic configuration, Google Drive for payload hosting, and Telegram for command and control. This campaign highlights the growing use of LLMs in rapid malware development and the exploitation of civil unrest for targeted surveillance in Iran.

APT42 utilizes TAMECAT, a modular PowerShell-based backdoor, to target high-value senior defense and government officials. Israel’s National Digital Agency reports that the group employs social engineering to gain initial access. The infection chain begins with a VBScript that profiles antivirus software via WMI to determine whether to deploy PowerShell or Command Shell downloaders. TAMECAT features sophisticated capabilities, including screen capture, Chrome data collection, and Microsoft Edge remote debugging. It leverages legitimate services like Telegram and Discord for Command and Control (C2). Data is encrypted via AES and exfiltrated to domains such as glitch[.]me, demonstrating APT42's focus on stealth and persistent espionage operations.

The report analyzes the evolution of RustyStealer (also referenced as RustyWater or Archer RAT), a Rust-based post-compromise implant observed in MuddyWater-attributed activity. By correlating build artefacts, compiler metadata, dependency drift, TLSH similarity, and API-level changes, the analysis reconstructs a development timeline from early baseline builds to a more mature v2.0 architecture. Rather than linear feature growth, the samples reveal experimentation, rollback, and consolidation. A short-lived asynchronous I/O refactor was abandoned in favor of improved stability, while later versions emphasize stealth through native NT API usage, runtime string obfuscation, and restored host fingerprinting.