THE Iranian hacking group MuddyWater, also known as Earth Vetala, Mango Sandstorm and MUDDYCOAST, has launched a new campaign codenamed Operation Olalampo targeting several organisations and individuals in the MENA region. The activity, first observed on 26 January 2026, involves new malware families including GhostFetch and HTTP_VIP, a Rust backdoor named CHAR, and an advanced implant called GhostBackDoor dropped by GhostFetch, according to Group-IB.
One attack chain uses a malicious Microsoft Office document to enable macros that drop and execute the payload, giving the adversary remote control of the system, the firm noted. A third variant distributes the HTTP_VIP downloader that can deploy AnyDesk, while another variant uses themes like flight tickets and reports to distribute the same downloader.
Group-IB’s analysis highlights AI-assisted development signs in CHAR’s source and notes MuddyWater continues to exploit recently disclosed vulnerabilities on public-facing servers to gain initial access. The MuddyWater APT group remains an active threat in the META region, with this operation emphasising their use of AI and diversified C2 infrastructures to broaden their reach, according to Group-IB.