Both are Iranian state-sponsored espionage groups, affiliated with MOIS. But they differ significantly in operational tempo and approach. MuddyWater is characterized by rapid toolkit rotation and broad phishing campaigns using compromised legitimate mailboxes, deploying at least three new malware variants between October 2025 and March 2026. OilRig tends toward more targeted and low profile intrusions with longer development cycles for bespoke implants, and more reliance on vulnerability exploitation. MuddyWater’s geographic reach is also notably broader, with confirmed activity across 113 countries.

MuddyWater sends phishing emails from legitimately compromised accounts rather than spoofed addresses. Because the emails originate from authenticated, trusted senders, they pass SPF, DKIM, and DMARC validation. Detection requires monitoring sender behavior anomalies — unusual login times, new client fingerprints, access from unexpected IP ranges — rather than relying on email header validation alone. They also employ good lures, which are often designed for their specific targets, in addition to using legitimate services and programs for initial infection.

Operation Olalampo is the most recent MuddyWater campaign documented by Group-IB, first observed on 26 January 2026 and attributed with high confidence. It targeted multiple organizations across the MENA region and introduced MuddyWater’s first documented use of a Telegram bot as a command-and-control channel — a significant tradecraft evolution. Group-IB’s monitoring of the Telegram C2 bot provided rare direct visibility into post-exploitation commands, deployed tools, and data collection techniques.

The order matters — preserve telemetry before you start cleaning up, because fragmented vendor telemetry is the threat actor’s defense and every additional data point materially helps the broader community.

1. Preserve, don’t wipe. Image the host, snapshot memory, and freeze logs before remediating. Pull EDR telemetry for at least 90 days back — MuddyWater dwell times of weeks are routine.
2. Identify the initial access vector first. That single decision tells you what stage of the kill chain you’re seeing. Was it an RMM install, a macro-laden Office document, a ClickFix-pasted PowerShell command in the user’s run history, or exploitation of a recently disclosed public-facing CVE?
3. Hunt the persistence fingerprints. Look for newly created scheduled tasks, services, registry Run keys, and modified Shell Folders\Startup registry redirects.
4. Check for the credential-staging files. C:\Users\Public\Downloads\lp-notes.txt, ce-notes.txt, cobe-notes.txt, or C:\ProgramData\lopa.txt are smoking guns — their presence means the LP-Notes-family credential dialog has already fired.
5. Look for sideloaded signed binaries in the wrong place.
6. Look for unusual files in the Public user directory.
7. Understanding the context of the attack
8. None of these steps will be effective without current threat intelligence — knowing which certificates, domains, file paths, and tool families are currently associated with MuddyWater is what turns a generic IR playbook into MuddyWater-specific hunting.

Based on the trajectory observed by Group-IB, MuddyWater’s tradecraft is likely to evolve along several converging lines. The group will lean more heavily on AI-assisted malware development to produce variants that are harder to fingerprint with static signatures and that mutate quickly enough to outpace traditional detection cycles. At the same time, expect a commodity-crimeware overlay to become the default cover for state-aligned operations — using off-the-shelf RATs, loaders, and stealers (often the same toolkits sold on cybercrime forums) to blend espionage activity into the noise of ordinary financially motivated intrusions, making attribution slower and harder. Ransomware and destructive payloads deployed as decoys will grow more convincing, with proper ransom notes, working leak-site infrastructure, and plausible negotiation behavior, so that incident responders waste time treating an espionage breach as a criminal extortion event. Finally, abuse of signed binaries will expand, including misuse of legitimately signed tools from security vendors themselves — EDR components, remote management agents, and forensic utilities — to bypass trust-based controls and turn defenders’ own software supply chain against them.