• MuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIP The Iranian hacking group known asMuddyWater(aka Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has targeted several organizations and individuals mainly located across the Middle East and North Africa (MENA) region as part of a new campaign codenamedOperation Olalampo. • The activity, first observed on January 26, 2026, has resulted in the deployment of new malware families that share overlapping samples previously identified as used by the threat actor, according to a report published by Group-IB. • These include downloaders like GhostFetch and HTTP_VIP, along with a Rust backdoor called CHAR and an advanced implant codenamed GhostBackDoor that’s dropped by GhostFetch. • “These attacks follow similar patterns and align with the killchains previously observed in MuddyWater attacks; starting with a phishing email with a Microsoft Office document attached to it that contains malicious macro code that decodes the embedded payload and drops it on the system and executes it, providing the adversary with remote control of the system,” the companysaid. • One such attack chain employing a malicious Microsoft Excel document prompts users to enable macros in order to activate the infection and ultimately drop CHAR. • Another variant of the same attack has been found to lead to the deployment of the GhostFetch downloader, which then downloads GhostBackDoor.

Article Summaries:

  • MuddyWater, an Iranian hacking group, launched a new campaign-Operation Olalampo-on 26 January 2026 targeting organizations across the Middle East and North Africa. Group‑IB reports the deployment of several new malware families, including the downloader GhostFetch, the Rust backdoor CHAR, and the HTTP_VIP downloader that installs AnyDesk. Attacks begin with phishing emails containing malicious Microsoft Office documents that enable macros to drop the payloads. GhostFetch profiles the system, bypasses defenses, and can re‑deploy itself, while CHAR is controlled via a Telegram bot and may launch a SOCKS5 reverse proxy or additional backdoors. Analysis of CHAR’s code suggests AI‑assisted development, indicating the group’s use of generative‑AI tools.
  • MuddyWater, the Iranian threat group also known as Earth Vetala and Mango Sandstorm, launched a new campaign-Operation Olalampo-targeting Middle East and North Africa (MENA) organizations. First seen on 26 January 2026, the attack chain begins with phishing emails containing malicious Microsoft Office documents that trigger macros to drop a downloader. The group now uses four new tools: GhostFetch (a first‑stage downloader that profiles the system and loads GhostBackDoor), GhostBackDoor (a Rust‑based backdoor with interactive shell capabilities), HTTP_VIP (which authenticates to an external server and deploys AnyDesk), and CHAR (a Rust backdoor controlled via a Telegram bot). Group‑IB notes AI‑assisted development in CHAR’s code and similarities to the Rust‑based BlackBeard malware.

Sources: