The Iranian threat actor MuddyWater has launched a new cyberespionage campaign titled Operation Olalampo, targeting organizations across the Middle East and North Africa. This operation utilizes a variety of new malware families, including specialized downloaders and backdoors, to gain remote control over infected systems through phishing and malicious macros.
The hacking collective known as MuddyWater has initiated a fresh wave of cyberattacks primarily focused on the Middle East and North Africa under the moniker Operation Olalampo. Security researchers first identified this activity in late January 2026, noting that the campaign involves the deployment of several new malware strains. These tools, while newly identified, share significant code overlaps with previous samples linked to this specific threat group. The primary objective of these incursions is to establish a persistent foothold within target networks to facilitate data theft and system monitoring.
The attack methodology begins with traditional phishing tactics, where targets receive emails containing malicious Microsoft Office attachments. When a user is tricked into enabling macros within these documents, a hidden code executes to drop a payload onto the local system. In one specific version of this chain, a malicious Excel document is used to install a Rust-based backdoor that allows the attackers to issue commands remotely. This pattern of using deceptive documents to trigger infection remains a hallmark of the group's operational strategy.
Further variations of the attack involve the deployment of a sophisticated first-stage downloader designed to evade detection. This tool meticulously profiles the host environment by checking for mouse movement, screen resolution, and the presence of antivirus software or virtual machines. If the environment is deemed safe, it fetches a secondary, more advanced implant that functions as an interactive shell. This allows the adversaries to read or write files and maintain a constant presence on the compromised machine without triggering immediate alarms.
Another branch of the campaign utilizes lures related to flight tickets and corporate reports to distribute a native downloader. This particular malware connects to external infrastructure to authenticate the victim and deploy legitimate remote desktop software, such as AnyDesk, for unauthorized access. Recent updates to this tool have expanded its capabilities, allowing the hackers to capture clipboard contents, retrieve victim information, and adjust the frequency with which the malware communicates with its command server.
The technical arsenal used in Operation Olalampo is rounded out by a unique backdoor controlled through a specific Telegram bot. This bot serves as the command-and-control interface, enabling the threat actors to execute commands via PowerShell or the system command prompt. By leveraging diverse programming languages and unconventional communication channels like Telegram, MuddyWater continues to evolve its toolkit to bypass standard security protocols and maintain its intelligence-gathering operations in the MENA region.
Source: MuddyWater Targets Mena Orgs With GhostFetch, Char, And HTTP VIP