Threats Feed|MuddyWater|Last Updated 24/02/2026|AuthorCertfa Radar|Publish Date20/02/2026

Operation Olalampo: MuddyWater Deploys AI-Assisted Malware in MENA Region Attacks

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Vulnerability Exploitation,Backdoor,Downloader,Dropper,Malicious Macro,Malware,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

Operation Olalampo is a new cyber campaign by the Iranian threat group MuddyWater, targeting organizations primarily across the MENA region. Aligning with ongoing geopolitical tensions, the attacks focus on energy and marine services, system integrators, and specific individuals of interest. The adversary gains initial access by exploiting vulnerabilities on public-facing servers and distributing macro-enabled phishing documents. This campaign introduces four novel malware variants: GhostFetch, HTTP_VIP, GhostBackDoor, and a Rust-based backdoor named CHAR. Notably, CHAR leverages a Telegram bot for command-and-control and exhibits evidence of AI-assisted development. Post-exploitation activities include local reconnaissance, credential theft, and the deployment of legitimate tools like AnyDesk. Infrastructure analysis also reveals overlap with MuddyWater’s historical operations from late 2025.

Reference and Credit: Group IB - February 2026

Operation Olalampo: Inside MuddyWater’s Latest Campaign

Detected Targets

TypeDescriptionConfidence
SectorInformation Technology
High
SectorEnergy
High
SectorHealthcare
High
RegionMiddle East Countries
Verified

Extracted IOCs

  • codefusiontech[.]org
  • jerusalemsolutions[.]com
  • miniquest[.]org
  • promoverse[.]org
  • 0365daf83e37d2c6daaae6c28b4c8343288ef2f9
  • 0588cf26b6e9210f86a266ac0366af1fd29f135c
  • 06f3b55f0d66913cd53d2f0e76a5e2d67ff8ed04
  • 270dbaedfbeef9333e0780f3c4e74c01392ce381
  • 2993b0ab9786ddc29eb9cf1ace4a28c6e34ea4fb
  • 2eea39dbe11889e5713cbca020f7ede653bc48ec
  • 2f5166086da5a57d7e59a767a54ed6fe9a6db444
  • 324918c73b985875d5f974da3471f2a0a4874687
  • 3441306816018d08dd03a97ac306fac0200e9152
  • 392a36717fa948f7e00d35711e8598108fbe2f72
  • 3c47eab6ebe5b48097c0099ff18f2a8bc13c12f7
  • 56380a652471962387693f4bcc893fd21f0fc324
  • 5c1500296857ed0b0bb7230a1cb17993d25ab69b
  • 62ed16701a14ce26314f2436d9532fe606c15407
  • 777040bed9d26f5da97e8977c6efc0586beae064
  • 7bd04218276fc8f375c0ce3be43a710f6a2b4d09
  • 7d3757d5165e2e95b0b89e33316025a4b9301e2d
  • 80cea18e19665c5a57e7b9ca0bf36aad06096e93
  • 8632b62fa14fd679fa97cfe50e6c25696b846129
  • 88cb6169fd7dd21e6d6aa3a8df0a78938e698028
  • 8c592d9ab58264e68dfe029ea90f80862c526670
  • 92e2f826804d762679b13283102f3560078eb4cb
  • 975c763e050d0a9a46f0aafdde66d3e7f0626c5b
  • 9ca11fcbd75420bd7a578e8bf6ef855e7bd0fb8e
  • 9defffba933fc44f8e3b6e25b31508bc17d29077
  • ac982b7b46e085e0bb51cba2edb61bff5910b6a8
  • b55e063607e8f56c9b398b289ba04ddca11398fe
  • ceb9b7dfb8a36ee8fe223063a6e3f730f2dcefd1
  • d0d7d0c816753639b5c577aacf14fd2e994b64b0
  • d3fa50a9eba93a7fbc79e7ad0c4889d762718a5f
  • d97d21536c061e7a7151a453242d36f3ab196a14
  • dc785be0c4430bfc5b507255f892bf30134a02b6
  • e21564fd0fc3103c1d18b1e1525a0b40e9077d40
  • e3cc95ca6e271ddf04cd88c85051b2cc9ce04e8e
  • e79ccc3f6517c911d6c1df79c94e88896f574e64
  • ea80deaed00c8b71aa0033b00fe0ef5b63840b99
  • efb18cf7cf227037e034c0b525f502e642815f94
  • f449b95830c584cef72dfb60fb78ee3d6c69ecb4
  • f4e0f4449dc50e33e912403082e093dd8e4bc55d
  • f5a129ba4141361ca266950dc4adcb2c548aa949
  • f77499a8fc6e615e21bf111a88c658ba3d5f0f81
  • f779a3b1dcc0c3aacacf7ebfa4ed57d53af7e26c
  • feb4318a90057d92ea5ab6420ed6164dd9605013
  • 143[.]198.5.41
  • 159[.]198.43.141
  • 162[.]0.230.185
  • 209[.]74.87.100
  • 209[.]74.87.67
download

Tip: 52 related IOCs (5 IP, 4 domain, 0 URL, 0 email, 43 file hash) to this threat have been found.

FAQs

Operation Olalampo: Frequently Asked Questions

A new cyberattack campaign dubbed "Operation Olalampo" was recently uncovered. Attackers deployed newly developed malicious software to gain unauthorized access to target computer systems and establish remote control.

Cybersecurity researchers attribute this campaign with high confidence to MuddyWater. This is a well-known, advanced Iranian threat actor group with a history of conducting cyber espionage.

The primary goal of the attack appears to be cyber espionage and data theft. The attackers utilized highly evasive tools to silently monitor compromised systems, steal credentials, and maintain long-term, undetected access to the victims' networks.

The campaign is highly targeted rather than a broad, global attack. It is predominantly focused on specific organizations and individuals located within the Middle East and North Africa (MENA) region.

Yes. The attackers specifically tailored their deceptive emails to target energy and marine services companies, their associated contractors, system integrator companies, and specific individuals of interest.

The attackers sent convincing phishing emails containing attached Microsoft Excel or Word documents. When a victim opened the document, hidden scripts automatically ran in the background to download and install malicious software, quietly handing control over to the attackers.

The targeted organizations and individuals hold valuable strategic data, intellectual property, and access to critical infrastructure networks. This targeting closely aligns with ongoing geopolitical tensions in the MENA region.

Organizations should ensure automatic macros are disabled in Microsoft Office and immediately apply security updates to any servers exposed to the internet. Employees should also be trained to scrutinize unexpected emails, especially those containing document attachments related to invoices or flight tickets.

This is a targeted issue. While the techniques used are sophisticated, the attackers are selectively focusing on specific entities in the MENA region that align with their intelligence-gathering objectives.

About Affiliation
MuddyWater
View MuddyWater's Insights