A well-known hacking group called MuddyWater has launched a new cyberattack campaign targeting organizations in the Middle East and North Africa (MENA). Security researchers have named this campaign “Operation Olalampo.” The activity was first observed on January 26, 2026. Experts say the attacks mainly focus on government bodies, businesses, and critical sectors in the region.
MuddyWater is believed to be linked to Iran and has been active for several years. The group is known for conducting cyber-espionage operations. In this latest campaign, researchers noticed the use of new malware tools and updated techniques. These changes suggest the group is trying to improve its ability to avoid detection.
The attack usually starts with phishing emails sent to victims. These emails contain Microsoft Office documents that appear legitimate. When the victim opens the file and enables macros, malicious code runs in the background. This action allows the attackers to begin installing malware on the system.
One of the main tools used in this campaign is called GhostFetch. GhostFetch works as a downloader that prepares the system for further infection. Before running, it checks whether it is inside a testing or analysis environment. It looks at factors like mouse activity, screen resolution, and antivirus presence to avoid detection.
Another tool identified in the campaign is HTTP_VIP. This malware also functions as a downloader and communicates with attacker-controlled servers over the internet. It can deploy additional malware and even install legitimate remote access tools like AnyDesk. Once active, it can collect system information, upload files, and capture clipboard data from the victim’s device.
The attackers also use a backdoor named CHAR, which is written in the Rust programming language. A backdoor allows long-term access to an infected computer without the user knowing. CHAR is controlled through a Telegram bot, enabling attackers to send commands remotely. This method helps them manage infected systems using a common messaging platform.
In some cases, GhostFetch installs another component known as GhostBackDoor. This tool provides deeper control over the compromised machine. Attackers can browse files, execute commands, and maintain continued access. It also allows them to re-install or update other malware components if required.
Researchers have observed signs that parts of this campaign may involve AI-assisted development. Some malware samples contained unusual debug strings, including emojis, which is uncommon in traditional malicious code. This suggests attackers may be experimenting with modern development tools. Overall, Operation Olalampo shows that MuddyWater continues to evolve its tactics and remains an active threat in the MENA region.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
