A new wave of targeted cyber‑espionage dubbed “Operation Olalampo” has been attributed to the Iranian threat actor MuddyWater and is targeting organizations and individuals across the MENA region since January 26, 2026. The campaign deploys four novel malware families—CHAR, GhostBackDoor, GhostFetch, and HTTP_VIP—shows signs of AI‑assisted development, and leverages a Telegram bot for command‑and‑control. #MuddyWater #OperationOlalampo #CHAR #GhostBackDoor #GhostFetch #HTTP_VIP #Telegram
Keypoints
- Operation Olalampo—attributed to MuddyWater—began on January 26, 2026, targeting organizations across the MENA region.
- Researchers discovered four previously unknown malware variants: CHAR, GhostBackDoor, GhostFetch, and HTTP_VIP.
- Evidence indicates MuddyWater is using AI‑assisted development to speed malware creation and increase automation.
- The group shifted C2 tactics to abuse legitimate platforms, notably a Telegram bot that revealed post‑exploitation activity and infrastructure reuse.
- Despite new Rust tooling and variants, the malware shows tradecraft and code overlaps with prior MuddyWater activity such as BlackBeard/Archer RAT.