Sometimes an ordinary letter in the mail turns out to be the beginning of a major disaster.
The Iranian group MuddyWater has launched a new wave of attacks against organizations and individuals in the Middle East and North Africa. The campaign, dubbed Operation Olalampo, began in late January 2026. According to researchers at Group-IB, the attackers deployed several new tools, some of which overlap with previously observed developments by the same group.
The operation utilizes the GhostFetch and HTTP_VIP downloaders, the CHAR backdoor written in Rust, and the GhostBackDoor implant. The attacks begin with phishing emails with Microsoft Office attachments. These documents contain malicious macros that, when activated, decrypt the embedded code, save it on the system, and execute it. The attackers then gain remote access to the infected device.
One scenario revolves around an Excel file that convinces the victim to enable macros and ultimately installs CHAR. Another version first downloads GhostFetch, which then deploys GhostBackDoor. A third variant uses airline ticket and report themes, as well as disguises itself as a Middle Eastern energy and maritime services company. In this case, the victim is delivered HTTP_VIP, which subsequently installs AnyDesk for remote control.
GhostFetch performs initial system reconnaissance, checks mouse movement and screen resolution, searches for traces of virtual environments and antivirus software, and then loads additional components directly into memory. GhostBackDoor supports an interactive shell and file operations. HTTP_VIP communicates with an external server for authentication and AnyDesk download, and the new version of the tool can collect system information, execute commands, transfer files, and intercept clipboard contents. CHAR is controlled via a Telegram bot named Olalampo and can run cmd.exe or PowerShell commands, including those for deploying a SOCKS5 proxy, an additional Kalim backdoor , and dumping data from browsers.
An analysis of CHAR's source code revealed evidence of the use of generative AI tools in its development. Google previously reported that MuddyWater was experimenting with similar technologies to create malware with remote command execution and file transfer capabilities. Furthermore, CHAR's structure resembles the Rust malware BlackBeard, which has also been linked to this group.
In addition to phishing, attackers are exploiting recently disclosed vulnerabilities on public servers to gain initial access to infrastructure. Group-IB believes that MuddyWater remains highly active in the MENA region and is expanding its toolkit, combining in-house developments, an extensive command and control infrastructure, and elements of artificial intelligence.
The Iranian group MuddyWater has launched a new wave of attacks against organizations and individuals in the Middle East and North Africa. The campaign, dubbed Operation Olalampo, began in late January 2026. According to researchers at Group-IB, the attackers deployed several new tools, some of which overlap with previously observed developments by the same group.
The operation utilizes the GhostFetch and HTTP_VIP downloaders, the CHAR backdoor written in Rust, and the GhostBackDoor implant. The attacks begin with phishing emails with Microsoft Office attachments. These documents contain malicious macros that, when activated, decrypt the embedded code, save it on the system, and execute it. The attackers then gain remote access to the infected device.
One scenario revolves around an Excel file that convinces the victim to enable macros and ultimately installs CHAR. Another version first downloads GhostFetch, which then deploys GhostBackDoor. A third variant uses airline ticket and report themes, as well as disguises itself as a Middle Eastern energy and maritime services company. In this case, the victim is delivered HTTP_VIP, which subsequently installs AnyDesk for remote control.
GhostFetch performs initial system reconnaissance, checks mouse movement and screen resolution, searches for traces of virtual environments and antivirus software, and then loads additional components directly into memory. GhostBackDoor supports an interactive shell and file operations. HTTP_VIP communicates with an external server for authentication and AnyDesk download, and the new version of the tool can collect system information, execute commands, transfer files, and intercept clipboard contents. CHAR is controlled via a Telegram bot named Olalampo and can run cmd.exe or PowerShell commands, including those for deploying a SOCKS5 proxy, an additional Kalim backdoor , and dumping data from browsers.
An analysis of CHAR's source code revealed evidence of the use of generative AI tools in its development. Google previously reported that MuddyWater was experimenting with similar technologies to create malware with remote command execution and file transfer capabilities. Furthermore, CHAR's structure resembles the Rust malware BlackBeard, which has also been linked to this group.
In addition to phishing, attackers are exploiting recently disclosed vulnerabilities on public servers to gain initial access to infrastructure. Group-IB believes that MuddyWater remains highly active in the MENA region and is expanding its toolkit, combining in-house developments, an extensive command and control infrastructure, and elements of artificial intelligence.
