IRAN’S MuddyWater has intensified its cyber operation against Middle East and Africa organisations, launching a new campaign that delivers several fresh malware strains amid mounting tensions, as Elizabeth Montalbano reports. The campaign, dubbed Operation Olalampo, begins with spear-phishing emails and progresses to second-stage loader and backdoor malware, with Group-IB noting targets across the MENA region and beyond.
One new strain, the Char backdoor, used a Telegram bot as its C2 channel, a finding that helped researchers link the activity to MuddyWater, which is tied to Iran’s MOIS. The group’s attack chain also includes a GhostFetch downloader and a later GhostBackDoor, plus a Microsoft Word document variant that deploys an HTTP_VIP downloader which then installs Anydesk for remote access, according to the report.
Group-IB says AI-assisted development appeared in the malware’s command handlers and notes MuddyWater’s broader shift towards AI-enabled tools and diversified C2 infrastructures. The researchers also observed the group occasionally deviating from its usual entry method by exploiting flaws in public-facing servers, with activity first detected on 26 January.