MuddyWater's Operation Olalampo: Uncovering C2 Infrastructure and Telegram Bot Utilization in MENA Targets
- Actor Motivations: Espionage
- Attack Vectors: Malware
- Attack Complexity: Medium
- Threat Risk: Unknown
Threat Overview
The APT group MuddyWater recently launched "Operation Olalampo," targeting organizations and individuals primarily across the MENA region amidst ongoing geopolitical tensions. In this campaign, the threat actors deployed newly developed malware variants and utilized Telegram bots for Command and Control (C&C) operations. A deep dive into the campaign's infrastructure revealed the use of recently registered, Namecheap-administered domains localized in Iceland, routing through US-geolocated IP addresses. Further DNS and threat intelligence analysis uncovered a vast network of over 2,500 connected domains linked to a single registrant email, along with active communications originating from ten potential victim IP addresses.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Region | Middle East Countries | Verified |
Extracted IOCs
- 2016paralympics[.]website
- 2020paralympics[.]co
- 2020paralympics[.]info
- abuja[.]website
- abusesurvivors[.]club
- abuyers[.]guide
- babeorgy[.]com
- babysitters[.]website
- badlands[.]place
- cagliari[.]place
- cagliari[.]website
- cajun[.]place
- codefusiontech[.]com
- codefusiontech[.]my
- codefusiontech[.]net
- codefusiontech[.]org
- dados[.]juegos
- dallasflight[.]net
- dalycity[.]place
- earbionics[.]com
- eastasia[.]place
- easternafrica[.]place
- fadenquartz[.]rocks
- faden[.]rocks
- faden[.]website
- gaborone[.]website
- galapagosecotours[.]com
- galapagos[.]website
- hades[.]website
- hagadobleclicenla[.]link
- hagiasophia[.]place
- iahflight[.]com
- iahflights[.]com
- iamahippie[.]clothing
- jadeite[.]rocks
- jamesbrown[.]link
- jamesmcneillwhistler[.]link
- jerusalemsolutions[.]com
- jerusalemsolutions[.]guru
- jerusalemsolutions[.]org
- jerusalemsolutions[.]photography
- kandinsky[.]link
- kansascity[.]place
- kant[.]rocks
- labusquedadela[.]link
- laincorporaciondela[.]link
- lakebaikal[.]place
- machuphotographchu[.]guide
- machuphotographchu[.]ninja
- machupicchu[.]academy
- miniquest[.]app
- miniquest[.]click
- miniquest[.]cn
- miniquest[.]org
- nante[.]link
- napa[.]place
- nassau[.]place
- oceaniaecotours[.]com
- oceanus[.]website
- odessa[.]place
- pachelbel[.]link
- pacificocean[.]link
- padparaschasapphire[.]website
- promoverse[.]app
- promoverse[.]at
- promoverse[.]biz
- qiuck[.]auction
- quangnin[.]rocks
- quartz[.]website
- rachmaninov[.]link
- rainforests[.]website
- rainforest[.]website
- sacramento[.]place
- safaris[.]place
- safesexyes[.]com
- taaffeite[.]rocks
- taaffeite[.]website
- taekwondo[.]place
- uccello[.]rocks
- ucello[.]rocks
- uhuru[.]place
- vaduz[.]website
- valletta[.]website
- vanadanite[.]auction
- wakeboarders[.]club
- wanderingto[.]link
- warhol[.]link
- yamoussoukro[.]website
- yangon[.]place
- yaounde[.]website
- zagreb[.]place
- zazdomains[.]com
- zazzy[.]xyz
- 104[.]21.14.92
- 104[.]21.63.16
- 162[.]0.230.185
- 172[.]67.142.102
- 209[.]74.87.100
Tip: 98 related IOCs (5 IP, 93 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.
Overlaps
Source: Palo Alto Networks - March 2026
Detection (two cases): codefusiontech[.]org, miniquest[.]org
Source: Huntress - March 2026
Detection (one case): 162[.]0.230.185
Source: Hunt.io - March 2026
Detection (four cases): 162[.]0.230.185, 209[.]74.87.100, codefusiontech[.]org, jerusalemsolutions[.]com
Source: Group IB - February 2026
Detection (five cases): 162[.]0.230.185, 209[.]74.87.100, codefusiontech[.]org, jerusalemsolutions[.]com, miniquest[.]org
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.
FAQs
Operation Olalampo
Security researchers uncovered a new cyber campaign called "Operation Olalampo." Attackers set up a large, hidden network of websites and servers to deploy malicious software. By investigating a few initial clues, researchers found thousands of related domains and evidence of successful compromises.
The attack was carried out by MuddyWater, a known Advanced Persistent Threat (APT) group. This group has a history of conducting complex cyber operations and often takes advantage of geopolitical tensions to launch their campaigns.
The goal of the campaign was likely espionage and unauthorized access, driven by ongoing geopolitical conflicts. The attackers deployed new forms of malicious software to infect systems and maintain covert access to the victims' networks.
Yes, the campaign specifically targeted organizations and individuals located primarily across the Middle East and North Africa (MENA) region. While specific industries were not named, the targets align with the region's geopolitical landscape.
The attackers built their infrastructure by registering new web domains in Iceland and routing them through servers located in the United States. Once a victim was infected with their new malicious software, the attackers used Telegram bots to secretly send commands and control the compromised systems.
Organizations and individuals in the MENA region are frequently targeted due to the high geopolitical stakes in the area. Attackers seek to gather intelligence, monitor communications, or disrupt operations relevant to regional conflicts.
Organizations should immediately block access to the specific web addresses and servers identified in the Operation Olalampo report. Additionally, companies should monitor their networks for unusual activity, especially unauthorized traffic involving the Telegram app, which the attackers used to control infected computers.
This is a highly targeted campaign focused specifically on victims in the MENA region. However, because the attackers established a massive network of over 2,500 connected web domains, they possess the infrastructure necessary to conduct widespread operations if their goals shift.