MuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIP

Iranian APT MuddyWater Unleashes AI-Powered Malware Arsenal in ‘Operation Olalampo’ Campaign

In a chilling evolution of cyber warfare, Iranian threat actor MuddyWater—also tracked as Earth Vetala, Mango Sandstorm, and MUDDYCOAST—has launched a sophisticated new campaign dubbed Operation Olalampo, deploying an arsenal of AI-assisted malware against organizations across the Middle East and North Africa (MENA) region.

First detected on January 26, 2026, this campaign marks a significant escalation in MuddyWater’s capabilities, with the group leveraging artificial intelligence tools to accelerate malware development and enhance operational efficiency. Security researchers at Group-IB have documented the deployment of multiple new malware families, each designed to establish persistent access and facilitate intelligence gathering from high-value targets.

The Anatomy of Operation Olalampo

The attack methodology follows MuddyWater’s established playbook but with notable refinements. Initial access is typically gained through carefully crafted phishing emails containing malicious Microsoft Office documents. These documents employ embedded macro code that, when enabled by unsuspecting victims, decodes and executes the payload, granting adversaries remote control over compromised systems.

Group-IB’s analysis reveals three distinct attack chains, each culminating in different malware deployments:

1. CHAR Deployment: A malicious Excel document prompts users to enable macros, triggering the installation of a Rust-based backdoor codenamed CHAR.
2. GhostFetch Chain: Another variant leads to the deployment of GhostFetch, a downloader that subsequently delivers GhostBackDoor.
3. HTTP_VIP Vector: A third approach uses social engineering lures related to flight tickets and reports, distributing the HTTP_VIP downloader that ultimately installs AnyDesk remote desktop software.

The Malware Arsenal: Four Tools of Digital Espionage

GhostFetch: The Silent Infiltrator

This first-stage downloader operates with surgical precision, conducting comprehensive system profiling before executing its primary function. Upon deployment, GhostFetch performs multiple reconnaissance tasks:

• Validates mouse movements and screen resolution to confirm human interaction
• Scans for debuggers, virtual machine artifacts, and antivirus software
• Fetches and executes secondary payloads directly in memory, evading traditional file-based detection

GhostBackDoor: The Persistent Intruder

Delivered by GhostFetch, this second-stage backdoor provides attackers with extensive control capabilities:

• Interactive shell access for command execution
• File read/write operations for data exfiltration
• Self-replication through re-execution of GhostFetch

HTTP_VIP: The Multi-Purpose Downloader

This native downloader represents a more versatile tool in MuddyWater’s kit:

• Conducts system reconnaissance before connecting to command-and-control servers
• Authenticates with external servers (notably codefusiontech[.]org)
• Deploys AnyDesk remote desktop software for persistent access
• Recent variants include capabilities for victim information retrieval, interactive shell access, file transfer, clipboard capture, and adjustable beaconing intervals

CHAR: The AI-Enhanced Backdoor

Perhaps the most intriguing development is CHAR, a Rust-based backdoor controlled through a Telegram bot named “Olalampo” (username: stager_51_bot). This malware demonstrates clear signs of AI-assisted development, with researchers noting the presence of emojis in debug strings—a hallmark of generative AI tool usage.

CHAR’s capabilities include:

• Directory navigation and command execution via cmd.exe or PowerShell
• SOCKS5 reverse proxy functionality
• Web browser data exfiltration
• Execution of unknown executables (“sh.exe” and “gshdoc_release_X64_GUI.exe”)

The AI Factor: Revolutionizing Cyber Espionage

Group-IB’s analysis of CHAR’s source code reveals compelling evidence of AI-assisted development. This finding aligns with Google’s earlier revelations that MuddyWater has been experimenting with generative AI tools to support custom malware development, particularly for file transfer and remote execution capabilities.

The presence of emojis in debug strings serves as a digital fingerprint, suggesting that the threat actor is leveraging large language models to accelerate code development and potentially bypass traditional security review processes. This represents a paradigm shift in how state-sponsored threat actors approach malware development, potentially reducing development time while increasing sophistication.

Technical Sophistication and Infrastructure Evolution

The campaign demonstrates MuddyWater’s continued technical evolution. CHAR shares structural similarities with previously identified malware families like BlackBeard (also known as Archer RAT and RUSTRIC), suggesting a common development environment and possibly shared codebases.

Beyond phishing campaigns, MuddyWater has expanded its initial access methods to include exploitation of recently disclosed vulnerabilities on public-facing servers. This diversification indicates a threat actor evolving from opportunistic attacks to more targeted, sophisticated operations.

Regional Impact and Strategic Implications

Operation Olalampo primarily targets organizations within the MENA region, with Group-IB noting the group’s sustained focus on this geographical area. The campaign’s sophistication and the adoption of AI technologies underscore MuddyWater’s commitment to expanding operations and maintaining technological superiority.

The threat actor’s investment in custom malware development, coupled with diversified command-and-control infrastructure, suggests a well-resourced operation with clear strategic objectives. These may include intelligence gathering, economic espionage, and potentially preparation for more aggressive cyber operations.

Looking Ahead: The Future of AI-Powered Cyber Warfare

As state-sponsored threat actors increasingly adopt AI tools for malware development, the cybersecurity landscape faces unprecedented challenges. The ability to rapidly prototype, test, and deploy sophisticated malware could significantly reduce the time between vulnerability discovery and exploitation.

Security professionals and organizations in the MENA region and beyond must remain vigilant, implementing multi-layered defense strategies that account for both traditional attack vectors and emerging AI-enhanced threats. The evolution of Operation Olalampo serves as a stark reminder that the intersection of artificial intelligence and cyber warfare represents one of the most significant security challenges of our time.

tags: MuddyWater, Operation Olalampo, Iranian APT, AI malware, cyber espionage, Rust backdoor, GhostFetch, GhostBackDoor, HTTP_VIP, CHAR malware, Middle East cyber attacks, MENA region threats, AI-assisted hacking, state-sponsored cyber warfare, phishing campaigns, command-and-control infrastructure

viral phrases: “AI-powered cyber weapons unleashed,” “Iranian hackers go high-tech with ChatGPT-style tools,” “The future of espionage is here—and it’s artificially intelligent,” “State-sponsored malware gets a brain upgrade,” “Operation Olalampo: When phishing meets artificial intelligence,” “The emoji that could be the smoking gun in cyber warfare,” “Rust-based backdoors and Telegram bots: The new face of digital espionage,” “MuddyWater’s AI revolution in cyber attacks,” “From phishing emails to AI-powered malware: The evolution of Iranian cyber capabilities,” “How generative AI is changing the game for nation-state hackers”

,