A new sophisticated cyber offensive campaign attributed to the Iranian Advanced Persistent Threat (APT) actor known as MuddyWater has been uncovered, revealing an escalation in offensive tooling, malware diversity, and post-exploit techniques. The campaign — dubbed Operation Olalampo by researchers at Group-IB — began in late January 2026 and primarily targeted organisations and individuals across the Middle East and North Africa (MENA) region, according to a detailed technical analysis released by Group-IB’s Threat Intelligence team.

Campaign Overview

Operation Olalampo was first observed on January 26, 2026, during which multiple new malware families were deployed that show overlapping characteristics with prior MuddyWater activity. The campaign is notable for:

• Deploying four new malware variants, including a Rust-based backdoor called CHAR, two downloaders named GhostFetch and HTTP_VIP, and an advanced backdoor termed GhostBackDoor.
• Use of a Telegram-based bot for command-and-control (C2), offering unprecedented visibility into the group’s post-exploitation commands and actions.
• Indicators of potential AI-assisted malware development, making this campaign stand out from earlier MuddyWater operations.
• Re-use of existing infrastructure dating back to late 2025, suggesting that this is part of a larger, persistent strategic effort.

Analysts emphasise that while many techniques align with historical MuddyWater tradecraft, several aspects — especially the use of a Rust backdoor combined with Telegram C2 — signal tactical evolution.

Infection Vectors and Delivery

Operation Olalampo’s initial intrusion vectors rely heavily on phishing emails containing weaponised Microsoft Office documents. These documents are crafted with malicious macro scripts that:

1. Trigger automatically when opened with macros enabled.
2. Decode embedded payloads.
3. Drop and execute final malware binaries on infected systems.

Different document variants served different malware:

• CHAR backdoor was dropped by an Excel document mimicking an energy and marine services firm’s accounting spreadsheets.
• GhostFetch downloader led to installation of the GhostBackDoor backdoor as a second-stage payload.
• HTTP_VIP downloader dropped a legitimate AnyDesk RMM tool to facilitate remote access on compromised endpoints.

Malware Capabilities and Evasion

The malware deployed exhibits advanced features and anti-analysis safeguards:

• GhostFetch, a first-stage downloader, performs environment checks that cause self-termination in sandboxed settings unless legitimate criteria (e.g., minimum RAM and CPU) are detected.
• GhostBackDoor adapts installation behaviour based on privilege levels, including installing as a service or leveraging system artefacts to aid stealth and persistence.
• HTTP_VIP now operates not only as a downloader but in some variants functions as a standalone backdoor with commands to upload, download, and execute files, capture clipboard contents, and adjust beacon intervals.
• The CHAR backdoor uses the Telegram API for C2, allowing encrypted command exchange via a bot — a novel channel compared with MuddyWater’s historically HTTP-based C2 infrastructure.

Infrastructure and Attribution

Group-IB’s infrastructure analysis mapped multiple domains used during Olalampo:

• promoverse[.]org served GhostFetch and GhostBackDoor C2 traffic and showed connections to prior MuddyWater infrastructure from October 2025.
• miniquest[.]org and codefusiontech[.]org hosted HTTP_VIP C2 channels, both registered in early 2026 and protected behind Cloudflare while ultimately resolving to distinct IP addresses.

The reuse of domains and backend technologies aligns with previously observed MuddyWater infrastructure, strengthening attribution confidence.

Threat Implications and Defensive Measures

While Operation Olalampo has been assessed as medium severity due to its targeted scope, the sophistication and modularity of the malware toolkit — especially the use of Telegram bots for data exchange — pose significant espionage risks. Security teams are urged to:

• Monitor for traffic to unusual Telegram bots and domains associated with the identified C2 infrastructure.
• Analyse suspicious Office documents for macro-based decoders and unusual execution patterns.
• Deploy behavioural detection to catch reflective loading and environment checks exploited by these malware families.

Given the evolving geopolitical context in the MENA region, these intrusions underscore the importance of layered defence and real-time threat intelligence to rapidly detect and respond to advanced persistent threats.