MuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIP
Summary:
First identified in late January 2026, Operation Olalampo represents a significant evolution in the tactical playbook of MuddyWater (also known as Mango Sandstorm or Static Kitten), a threat actor linked to Iran’s Ministry of Intelligence and Security (MOIS). The campaign is characterized by its high volume of spear-phishing activity, where attackers utilize compromised legitimate email accounts to send lures disguised as urgent business or administrative documents, such as flight bookings or industry-specific reports. Once a victim is enticed into opening an attached Microsoft Excel file and enabling macros, a sophisticated, multi-stage infection chain is triggered. This chain begins by executing a malicious VBA script that drops several new malware families designed for stealth and persistence. Central to this arsenal is CHAR, a backdoor written in the Rust programming language, which allows the attackers to execute arbitrary PowerShell commands and exfiltrate sensitive files.
The operation further utilizes GhostFetch, a downloader that gathers extensive system metadata to ensure the target is of high value before proceeding, and HTTP_VIP, a Python-based tool specialized in harvesting credentials from web browsers. A defining feature of Operation Olalampo is the heavy reliance on Telegram’s API for command-and-control (C2) infrastructure; by using Telegram bots, the attackers can mask their malicious traffic as legitimate encrypted communication, making it extremely difficult for standard network monitoring tools to detect the exfiltration of data. Additionally, Group-IB researchers noted strong evidence that the developers are leveraging Generative AI to write and refine their code, a trend evidenced by the inclusion of peculiar debug strings and emojis within the malware’s source—a technique that may help them bypass traditional signature-based detection by rapidly iterating and varying their codebases. The final stage of the attack often involves the deployment of legitimate remote management tools like AnyDesk, providing the actors with a persistent "backdoor" into the network that mimics the behavior of a standard IT administrator.
Security Officer Comments:
This campaign underscores the persistent and evolving threat posed by Iranian state-sponsored actors. While the current geographic focus is the MENA region, MuddyWater has a documented history of targeting telecommunications, energy, and transportation sectors globally. The shift to Rust-based malware and AI-assisted development indicates a move toward more evasive and rapidly iterated codebases that may bypass traditional signature-based detection. Furthermore, the use of legitimate platforms like Telegram for C2 and AnyDesk for remote access makes it increasingly difficult for security teams to distinguish between malicious activity and authorized administrative tasks. This "living-off-trusted-services" strategy is designed to blend into high-volume network traffic, posing a significant risk to organizations with sprawling digital footprints and decentralized IT management.
Suggested Corrections:
To defend against the tactics observed in Operation Olalampo, organizations should prioritize a multi-layered defense strategy focused on entry vectors and lateral movement.
Link(s):
https://thehackernews.com/2026/02/muddywater-targets-mena-organizations.html
First identified in late January 2026, Operation Olalampo represents a significant evolution in the tactical playbook of MuddyWater (also known as Mango Sandstorm or Static Kitten), a threat actor linked to Iran’s Ministry of Intelligence and Security (MOIS). The campaign is characterized by its high volume of spear-phishing activity, where attackers utilize compromised legitimate email accounts to send lures disguised as urgent business or administrative documents, such as flight bookings or industry-specific reports. Once a victim is enticed into opening an attached Microsoft Excel file and enabling macros, a sophisticated, multi-stage infection chain is triggered. This chain begins by executing a malicious VBA script that drops several new malware families designed for stealth and persistence. Central to this arsenal is CHAR, a backdoor written in the Rust programming language, which allows the attackers to execute arbitrary PowerShell commands and exfiltrate sensitive files.
The operation further utilizes GhostFetch, a downloader that gathers extensive system metadata to ensure the target is of high value before proceeding, and HTTP_VIP, a Python-based tool specialized in harvesting credentials from web browsers. A defining feature of Operation Olalampo is the heavy reliance on Telegram’s API for command-and-control (C2) infrastructure; by using Telegram bots, the attackers can mask their malicious traffic as legitimate encrypted communication, making it extremely difficult for standard network monitoring tools to detect the exfiltration of data. Additionally, Group-IB researchers noted strong evidence that the developers are leveraging Generative AI to write and refine their code, a trend evidenced by the inclusion of peculiar debug strings and emojis within the malware’s source—a technique that may help them bypass traditional signature-based detection by rapidly iterating and varying their codebases. The final stage of the attack often involves the deployment of legitimate remote management tools like AnyDesk, providing the actors with a persistent "backdoor" into the network that mimics the behavior of a standard IT administrator.
Security Officer Comments:
This campaign underscores the persistent and evolving threat posed by Iranian state-sponsored actors. While the current geographic focus is the MENA region, MuddyWater has a documented history of targeting telecommunications, energy, and transportation sectors globally. The shift to Rust-based malware and AI-assisted development indicates a move toward more evasive and rapidly iterated codebases that may bypass traditional signature-based detection. Furthermore, the use of legitimate platforms like Telegram for C2 and AnyDesk for remote access makes it increasingly difficult for security teams to distinguish between malicious activity and authorized administrative tasks. This "living-off-trusted-services" strategy is designed to blend into high-volume network traffic, posing a significant risk to organizations with sprawling digital footprints and decentralized IT management.
Suggested Corrections:
To defend against the tactics observed in Operation Olalampo, organizations should prioritize a multi-layered defense strategy focused on entry vectors and lateral movement.
- Macro Restrictions: Implement a strict policy to disable macros for all Office documents received from external sources. Use Group Policy Objects (GPO) to block macros in files from the internet entirely.
- Email Security: Enhance phishing filters to scan for suspicious attachments and lures involving "flight tickets," "energy reports," or "urgent updates," which were specifically used in this campaign.
- Endpoint Monitoring: Configure EDR (Endpoint Detection and Response) tools to flag the execution of unauthorized remote management tools like AnyDesk and to monitor for suspicious child processes spawning from Microsoft Excel or Word.
- Network Filtering: Restrict or monitor traffic to Telegram’s API and other known messaging platforms at the corporate gateway if they are not required for business operations.
- User Training: Conduct targeted phishing simulations that educate employees on the dangers of "Enable Content" prompts, emphasizing that state-backed actors often use compromised legitimate accounts to send these lures.
Link(s):
https://thehackernews.com/2026/02/muddywater-targets-mena-organizations.html