In early 2026, cybersecurity analysts observed a cyberattack campaign known as Operation Olalampo. This campaign utilizes a piece of malicious software called HTTP_VIP, which secretly downloads other tools onto a victim's computer system.

Who was behind the attack?

The attack has been directly linked to a cyber threat group known as MuddyWater. This group is recognized by researchers as an Iranian state-aligned threat actor.

What was the nature and goal of the attack?

The primary goal of the attack was to establish a foothold on a victim's computer and maintain remote control over it. The attackers used the initial malware to sneak past security defenses so they could safely install a remote access tool.

Were specific industries or people targeted?

The provided intelligence report does not specify the exact scope, scale, or specific industries targeted during Operation Olalampo. The primary focus of the report is on the tools and methods used to compromise systems.

How was the attack carried out?

The attackers infected systems with the HTTP_VIP malware, which first checked the computer to ensure it wasn't inside a security testing environment. Once it determined the system was safe to attack, it connected to the attackers' servers and downloaded AnyDesk, a legitimate remote management program, to give the attackers direct access.

What actions should organizations take to protect themselves?

Organizations should actively monitor their networks for the unauthorized use or installation of remote access software like AnyDesk. Additionally, security teams should ensure their defenses are capable of detecting malicious software that attempts to hide from standard automated security scans.

Threats Feed|MuddyWater|Last Updated 31/03/2026|AuthorCertfa Radar|Publish Date23/03/2026

HTTP_VIP Malware Profile: System Reconnaissance and RMM Payload Delivery

Actor Motivations: Espionage
Attack Vectors: Downloader
Attack Complexity: Medium
Threat Risk: Unknown

Threat Overview

HTTP_VIP is a downloader malware attributed to the Iranian state-aligned threat actor MuddyWater. Analyzed during the early-2026 campaign dubbed "Operation Olalampo," this tool functions primarily to establish a foothold on compromised systems. It executes system reconnaissance while employing virtualization and sandbox evasion techniques to bypass defensive analysis. Following successful execution, HTTP_VIP connects to its command and control infrastructure to retrieve secondary payloads. Notably, the threat actors utilize this downloader to deploy legitimate remote monitoring and management (RMM) software, specifically AnyDesk. The deployment of AnyDesk facilitates persistent remote access and control over the victim environments, blending malicious activity with standard administrative tools.

Reference and Credit: IBM - March 2026

HTTP_VIP Malware Profile

Extracted IOCs

9a32c4f77c2425e5f2dbe72cfd67de39497690d7
1b9e6fe4b03285b2e768c57e320d84323ac9167598395918d56a12e568b0009a
72fbba0fd729e058e82844089c10ec4eb46644b4e972549bb6fbf80cc82fa3e3
2000f583ae2b9e2f86dc008742d5a608109b7ed74bc475a61cf53fc0f2ea6aadc90e59fe43ea4b0bb8df970c1895602bf985da1965a8b057865ed40c6a9a1424
fc2fc100d3c2899582d0698248638d8386af0b79b7ff61b132bdd0fe922965e90677a77efedea797fe23071a5e07bb9663f7ecb008cb5ef640a6acd20d37a090

download

Tip: 5 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 5 file hash) to this threat have been found.

FAQs

Operation Olalampo and HTTP_VIP Malware

: In early 2026, cybersecurity analysts observed a cyberattack campaign known as Operation Olalampo. This campaign utilizes a piece of malicious software called HTTP_VIP, which secretly downloads other tools onto a victim's computer system.
: The attack has been directly linked to a cyber threat group known as MuddyWater. This group is recognized by researchers as an Iranian state-aligned threat actor.
: The primary goal of the attack was to establish a foothold on a victim's computer and maintain remote control over it. The attackers used the initial malware to sneak past security defenses so they could safely install a remote access tool.
: The provided intelligence report does not specify the exact scope, scale, or specific industries targeted during Operation Olalampo. The primary focus of the report is on the tools and methods used to compromise systems.
: The attackers infected systems with the HTTP_VIP malware, which first checked the computer to ensure it wasn't inside a security testing environment. Once it determined the system was safe to attack, it connected to the attackers' servers and downloaded AnyDesk, a legitimate remote management program, to give the attackers direct access.
: Organizations should actively monitor their networks for the unauthorized use or installation of remote access software like AnyDesk. Additionally, security teams should ensure their defenses are capable of detecting malicious software that attempts to hide from standard automated security scans.

About Affiliation

MuddyWater

Associate threats