MuddyWater conducted “Operation Olalampo,” targeting organizations and individuals across the MENA region using new malware variants and Telegram bots for command-and-control, with Group-IB publishing an initial set of seven network IoCs. Investigations found four domain IoCs (recently registered and administered via Namecheap in Iceland), three IP IoCs (geolocated to the U.S.), extensive DNS/WHOIS linkage including 2,530 email-connected domains, and downloadable sample artifacts. #MuddyWater #OperationOlalampo
Keypoints
- MuddyWater’s campaign dubbed “Operation Olalampo” targeted organizations and individuals primarily across the MENA region, leveraging geopolitical tensions.
- The actors deployed new malware variants and used Telegram bots for command-and-control communications.
- Group-IB published seven initial network IoCs consisting of four domains and three IP addresses that were investigated further.
- The four domain IoCs were newly created between 28 Oct 2025 and 2 Feb 2026, administered via Namecheap, and registered in Iceland.
- DNS and WHOIS analysis revealed 10 potential victim IPs communicating with an IoC, 2,530 email-connected domains, six additional malicious IPs, and 55 string-connected domains.
- IP IoC analysis showed the IoCs were geolocated in the U.S. with significant historical IP↔domain resolutions (e.g., 162[.]0[.]230[.]185 → ~1,000 resolutions).
MITRE Techniques
- [None ] No MITRE ATT&CK techniques were explicitly mentioned in the article – ‘No MITRE ATT&CK techniques were explicitly mentioned in the article.’
Indicators of Compromise
- [Domain ] Operation Olalampo domain IoCs identified by Group-IB – jerusalemsolutions[.]com, miniquest[.]org, and 2 more domains.
- [IP Address ] Network IoCs and additional malicious IPs observed in the campaign – 162[.]0[.]230[.]185, 209[.]74[.]87[.]100, and 1 more IoC IP (plus six additional malicious IPs identified).
- [Email-connected domains ] WHOIS-based linkage used to expand the artifact set – 2,530 email-connected domains discovered (derived from one public WHOIS email address).
- [Domain-to-IP resolutions ] Historical DNS resolution counts for domain IoCs – jerusalemsolutions[.]com (16 resolutions), miniquest[.]org (9 resolutions), codefusiontech[.]org (20 resolutions).
- [IP-to-domain resolutions ] Historical IP↔domain resolution counts for IP IoCs – 162[.]0[.]230[.]185 (≈1,000 IP-to-domain resolutions), 209[.]74[.]87[.]100 (≈170 resolutions).
- [Sample artifacts ] Malware/sample artifacts and additional artifacts available for download from the researcher’s site – downloadable sample bundle (filenames not disclosed).
Read more: https://circleid.com/posts/a-dns-exploration-of-operation-olalampo