A technical analysis by Group-IB found that the Iranian-linked MuddyWater group began Operation Olalampo on January 26, 2026 targeting organisations and individuals across the Middle East and North Africa and deploying multiple custom malware families.
KEY FACTS
- Incident Operation Olalampo targeted organisations and individuals in the MENA region
- Start date January 26, 2026
- Primary tools GhostFetch, GhostBackDoor, HTTP_VIP, CHAR
- Initial access Phishing with malicious Microsoft Office documents
The campaign delivered malicious Microsoft Office attachments that prompt recipients to enable macros. The macro code decodes embedded payloads and drops loaders or backdoors on the host to establish persistence and remote access.
GhostFetch operates as a first-stage downloader that profiles the system, validates mouse movement and screen resolution, and checks for debuggers, virtual machines and antivirus before fetching and executing secondary payloads directly in memory. GhostBackDoor is deployed as a second-stage implant offering an interactive shell and file read and write functions and can re-run GhostFetch.
HTTP_VIP performs system reconnaissance, connects to an external command server at codefusiontech[.]org for authentication and can deploy AnyDesk. CHAR is a Rust backdoor that uses a Telegram bot named “Olalampo” with username “stager_51_bot” to change directories and execute cmd.exe or PowerShell commands on compromised hosts.
CHAR’s debug strings contain emojis consistent with AI-assisted development. The Rust implant shares structure with earlier Rust tools attributed to the group. The campaign also leveraged recently disclosed vulnerabilities in public-facing servers to gain initial access. Commands and dropped components referenced include a SOCKS5 reverse proxy, a backdoor called Kalim, browser data theft and executables named “sh.exe” and “gshdoc_release_X64_GUI.exe”.
WHY IT MATTERS
The combination of custom Rust backdoors, multi-stage downloaders and exploit-driven access increases the operational flexibility and risk posed by the group to regional organisations. Organisations in affected regions should prioritise email defenses, patch public-facing servers and monitor for the described indicators of compromise.