MuddyWater APT launches Operation Olalampo with new malware targeting MENA region

The Iranian hacking group MuddyWater, also known as Earth Vetala, Mango Sandstorm, and MUDDYCOAST, has initiated a new campaign named Operation Olalampo, primarily targeting organizations and individuals in the Middle East and North Africa (MENA) region, according to Group-IB. This campaign involves the deployment of novel malware families, some of which share characteristics with previously identified tools used by the threat actor, according to a recent report by The Hacker News.

Operation Olalampo, observed starting January 26, 2026, utilizes phishing emails containing malicious Microsoft Office documents that execute macro code to deploy payloads. New malware families include the GhostFetch downloader and CHAR, a Rust backdoor controlled via a Telegram bot. GhostFetch can deploy a second-stage backdoor named GhostBackDoor, which offers interactive shell capabilities and file manipulation. Another variant uses the HTTP_VIP downloader to deploy AnyDesk, with updated versions capable of gathering victim information and executing commands.

Group-IB's analysis suggests AI-assisted development for CHAR, evidenced by emojis in debug strings, aligning with previous reports of MuddyWater experimenting with generative AI. The group also exploits recently disclosed vulnerabilities on public-facing servers for initial access.

Source: The Hacker News