MuddyWater: Operation Olalampo

A Technical Analysis of an Iranian Cyber-Espionage Campaign

Operation Olalampo is a cyber-espionage campaign attributed to the Iranian state-aligned Advanced Persistent Threat (APT) group MuddyWater. Identified by Group-IB threat intelligence researchers, the campaign represents a continuation of MuddyWater’s long-standing strategy of targeting organizations across geopolitically significant regions, particularly the Middle East and North Africa (MENA). First observed on 26 January 2026, Operation Olalampo demonstrates the group’s increasing technical sophistication and operational maturity, particularly through the deployment of custom malware families, the use of novel command-and-control (C2) channels, and evidence of artificial intelligence-assisted development practices.

MuddyWater is widely believed to operate on behalf of Iranian intelligence interests and has been active since approximately 2017. The group focuses primarily on intelligence collection and long-term persistence within compromised networks. Their victims typically include government agencies, telecommunications companies, financial institutions, and other organizations of strategic importance.

Operation Olalampo highlights how state-sponsored threat actors continue to refine their tactics, techniques, and procedures (TTPs) in order to maintain effectiveness against modern defensive systems. This report provides a comprehensive analysis of Operation Olalampo, including threat actor background, targeting strategy, attack methodology, malware toolkit, infrastructure, and broader cybersecurity implications.

---

Who is MuddyWater?

MuddyWater is an Iranian APT group known by numerous aliases, including Seedworm, TA450, Mango Sandstorm, and Earth Vetala. The group is believed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS) and conducts cyber-espionage campaigns aligned with Iranian geopolitical interests.

Since its emergence, MuddyWater has focused on intelligence gathering rather than financial gain. Its campaigns typically seek long-term access to targeted networks, allowing attackers to extract sensitive information over extended periods.

Typical MuddyWater targets include:

• Government institutions

• Energy and infrastructure companies

• Telecommunications providers

• Defense contractors

• Academic institutions

• Financial organizations

The group’s operations often align with Iranian strategic priorities, particularly in the Middle East. However, MuddyWater activity has also been observed in Europe and North America, indicating an expanding operational scope.

Historically, MuddyWater has relied heavily on phishing attacks and PowerShell-based malware. Over time, however, the group has evolved toward custom-built malware frameworks and diversified infrastructure to evade detection.

Operation Olalampo represents a significant stage in this evolution.

Overview of Operation Olalampo

Operation Olalampo is a coordinated cyber-espionage campaign targeting organizations and individuals primarily in the Middle East and North Africa. The campaign involves a multi-stage infection chain designed to establish persistent remote access to victim systems.

The campaign uses several new malware families, including:

• GhostFetch

• GhostBackDoor

• HTTP_VIP

• CHAR

These tools work together as part of a structured attack chain, beginning with phishing emails and ending with full remote control of compromised systems.

Despite the introduction of new tools and programming languages, the operation maintains consistent tradecraft with previous MuddyWater campaigns.

This continuity helps analysts confidently attribute the operation to MuddyWater.

Targeting Strategy

Operation Olalampo primarily targets organizations across the MENA region, including both government and private-sector entities.

The choice of targets suggests intelligence-gathering objectives aligned with regional political tensions.

Victims include:

• Government agencies

• Corporate organizations

• Infrastructure operators

• Individual professionals

The campaign uses carefully designed phishing lures that mimic legitimate business communications. Examples include:

• Flight ticket confirmations

• Corporate reports

• Energy-sector communications

These lures increase the likelihood that recipients will open malicious attachments.

The targeting pattern reflects MuddyWater’s traditional focus on strategic intelligence rather than indiscriminate attacks.

Initial Access: Phishing and Social Engineering

The primary entry point for Operation Olalampo is spear-phishing emails containing malicious Microsoft Office attachments.

These attachments typically consist of Excel documents that contain embedded macros.

When a victim opens the document and enables macros, malicious code executes automatically.

The macro code:

1. Decodes embedded payloads

2. Writes files to the system

3. Executes malware components

This approach is consistent with MuddyWater’s previous campaigns and demonstrates continued reliance on social engineering techniques.

Phishing remains effective because it exploits human trust rather than technical vulnerabilities.

Malware Architecture

Operation Olalampo uses a modular malware architecture designed to support flexibility and stealth.

GhostFetch Downloader

GhostFetch serves as the first-stage downloader.

Its functions include:

• System profiling

• Anti-virtual-machine checks

• Anti-debugging checks

• Antivirus detection

• Memory-based payload execution

GhostFetch loads additional malware directly into memory, reducing the likelihood of detection by traditional antivirus tools.

This technique is increasingly common among advanced threat actors.

GhostBackDoor Implant

GhostBackDoor is a second-stage backdoor deployed by GhostFetch.

Capabilities include:

• Remote shell access

• File read and write operations

• Command execution

• Persistent access

GhostBackDoor also has the ability to re-launch GhostFetch, enabling attackers to refresh or update their malware deployment.

This design supports long-term persistence within victim networks.

HTTP_VIP Downloader

HTTP_VIP is another downloader used in Operation Olalampo.

Key functions include:

• System reconnaissance

• Authentication with command servers

• Deployment of remote access tools

HTTP_VIP has been observed downloading the remote administration tool AnyDesk from attacker-controlled infrastructure.

Newer variants support:

• Interactive shell sessions

• File transfers

• Clipboard monitoring

• Adjustable beacon intervals

These capabilities provide attackers with extensive control over compromised systems.

CHAR Rust Backdoor

The most notable malware component in Operation Olalampo is CHAR, a backdoor written in Rust.

CHAR supports:

• Command execution

• Directory navigation

• PowerShell execution

• Reverse proxy operations

The backdoor communicates with attackers through a Telegram bot named “stager_51_bot,” whose display name is “Olalampo.”

This unconventional command-and-control channel provides several advantages:

• Blending with legitimate traffic

• Easy infrastructure deployment

• Strong encryption

• Reduced detection risk

CHAR can also deploy additional tools, including:

• SOCKS5 proxies

• Browser data stealers

• Additional executables

The use of Rust enhances cross-platform compatibility and makes signature-based detection more difficult.

Command and Control Infrastructure

Operation Olalampo uses a diversified command-and-control architecture.

Key components include:

• Telegram-based control channels

• Web servers

• Legitimate software distribution methods

Telegram-based C2 infrastructure provides attackers with real-time control of compromised systems while making detection more difficult.

By monitoring the Telegram bot used in the campaign, researchers were able to observe post-exploitation activities including commands and data collection.

This insight confirmed strong links to MuddyWater’s established toolsets and operational methods.

Artificial Intelligence in Malware Development

One of the most notable aspects of Operation Olalampo is evidence suggesting the use of artificial intelligence tools in malware development.

Analysis of the CHAR backdoor revealed debug strings containing emojis, which researchers believe indicate the use of large language models during development.

Security researchers have previously noted MuddyWater’s experimentation with generative AI technologies.

Potential uses include:

• Code generation

• Script automation

• Obfuscation

• Malware testing

The integration of AI into malware development represents a significant shift in cyber threat evolution.

AI-assisted development allows threat actors to:

• Accelerate malware creation

• Reduce development costs

• Improve code quality

• Increase operational speed

Operation Olalampo demonstrates that nation-state actors are already leveraging these capabilities.

Persistence and Post-Exploitation

Once inside a network, MuddyWater focuses on persistence and intelligence collection.

Post-exploitation activities include:

• Running commands remotely

• Installing additional tools

• Stealing browser data

• Transferring files

Reverse proxy functionality allows attackers to route traffic through compromised systems, enabling lateral movement and covert communication.

Persistent access allows attackers to maintain long-term surveillance of targeted organizations.

This strategy is typical of cyber-espionage operations.

Attribution to MuddyWater

Operation Olalampo is attributed to MuddyWater with high confidence.

Attribution is based on:

• Malware similarities

• Infrastructure reuse

• Consistent TTPs

• Target selection

GhostFetch and GhostBackDoor use encoding techniques previously observed in MuddyWater malware.

The CHAR backdoor also shares structural similarities with other MuddyWater tools.

Infrastructure reuse dating back to late 2025 further strengthens attribution.

Together, these factors provide strong forensic evidence linking the campaign to MuddyWater.

Evolution of MuddyWater Techniques

Operation Olalampo demonstrates several important developments in MuddyWater’s capabilities:

Increased Custom Malware

• Earlier campaigns relied heavily on legitimate remote-access tools.

• Operation Olalampo instead uses custom-built malware families.

• This reduces detection rates and increases operational control.

New Programming Languages

The use of Rust is a significant technical development.

Rust malware offers:

• Memory safety

• Cross-platform compatibility

• Reduced detection

Rust-based malware is becoming increasingly popular among advanced threat actors.

AI Integration

The possible use of AI tools indicates an evolving development methodology. AI-assisted malware may become a standard feature of future campaigns.

Improved Infrastructure

Telegram-based C2 channels represent a shift toward resilient infrastructure. This makes disruption more difficult.

Security Implications

Operation Olalampo highlights several important cybersecurity concerns.

Continued Effectiveness of Phishing

Despite advances in security technology, phishing remains highly effective. Human behavior continues to represent a major security vulnerability.

Advanced Persistent Threat Evolution

APT groups are rapidly improving their capabilities.

Operation Olalampo demonstrates:

• Advanced malware

• Modular architectures

• New programming languages

• AI integration

These developments raise the overall threat level. The MENA region remains a major target for state-sponsored cyber operations. Organizations operating in the region face elevated risk.

Difficulty of Detection

Several features make Operation Olalampo difficult to detect:

• Memory-based execution

• Legitimate software abuse

• Telegram-based C2

• Custom malware

Traditional security tools may struggle to identify these threats. Organizations can reduce risk through several defensive measures:

Email Security

• Advanced phishing detection

• Attachment sandboxing

• Macro blocking

Endpoint Protection

• Behavioral monitoring

• Memory analysis

• Endpoint detection and response (EDR)

Network Monitoring

• Outbound traffic analysis

• Detection of unusual C2 patterns

• Telegram traffic monitoring

User Awareness

Security awareness training reduces phishing success rates. Users should be trained to:

• Identify suspicious emails

• Avoid enabling macros

• Report unusual activity

What can we do to stop Operation Olalampo?

Operation Olalampo represents a sophisticated cyber-espionage campaign conducted by the Iranian APT group MuddyWater. The operation demonstrates the group’s continuing evolution in both technical capability and operational strategy. Through the deployment of new malware families such as GhostFetch, GhostBackDoor, HTTP_VIP, and CHAR, MuddyWater has created a flexible and stealthy attack framework capable of maintaining persistent access to targeted networks.

The campaign’s use of Telegram-based command-and-control channels and possible artificial intelligence-assisted malware development illustrates the increasing complexity of modern cyber threats. While the core attack methodology remains rooted in phishing and social engineering, the technical sophistication of post-exploitation tools continues to increase.

Operation Olalampo highlights the persistent threat posed by state-sponsored cyber actors and underscores the importance of advanced defensive strategies. As MuddyWater continues to refine its capabilities, organizations in geopolitically sensitive regions must remain vigilant and adopt proactive security measures.

The campaign ultimately demonstrates that advanced persistent threats remain one of the most significant challenges facing modern cybersecurity, particularly as threat actors incorporate new technologies such as artificial intelligence and advanced programming frameworks into their operations.