Operation Olalampo MuddyWater Deploys AI-Assisted Rust Malware Across MENA

• .What: Iranian APT espionage campaign targeting MENA governments and enterprises.
• .Who: MuddyWater (MOIS-linked), one of Iran's most persistent cyber operations groups.
• .New Malware: GhostFetch, CHAR (Rust backdoor), HTTP_VIP, GhostBackDoor.
• .Innovation: AI-assisted malware development - confirmed by researchers.
• .C2 Infrastructure: Telegram channels used for command-and-control.
• .Targets: Government ministries, defense, energy, telecommunications across Gulf states.

On January 26, 2026, MuddyWater - an Iranian state-aligned APT group linked to Iran's Ministry of Intelligence and Security (MOIS) - launched Operation Olalampo, a structured espionage campaign targeting government and enterprise organizations across the Middle East and North Africa.

The group, tracked as Earth Vetala by Trend Micro, Mango Sandstorm by Microsoft, and MUDDYCOAST by NATO, deployed a new arsenal of malware families purpose-built for this campaign.

Group-IB published a detailed technical analysis in February 2026, documenting the operation's scope and capabilities.

Initial access followed two parallel vectors. The primary path used spear-phishing emails containing Microsoft Office documents with embedded malicious macro code. When opened, these documents decoded payloads that established remote access to compromised systems.

The secondary path exploited recently disclosed vulnerabilities on public-facing servers - ensuring that organizations with strong email filtering could still be reached through unpatched internet-exposed infrastructure.

This dual-vector approach reflects operational maturity and deliberate redundancy planning.

The campaign introduced four new malware families: GhostFetch, a downloader that establishes initial footholds and retrieves secondary payloads; CHAR, MuddyWater's first known Rust-based backdoor; HTTP_VIP, an alternative HTTP-based downloader providing C2 redundancy; and GhostBackDoor, an advanced implant enabling persistent access, keylogging, screen capture, and data exfiltration.

Group-IB confirmed that MuddyWater employed AI-assisted techniques in malware development - a qualitative shift in the group's capability.

Command-and-control communications were routed through Telegram channels, making C2 traffic harder to distinguish from legitimate messaging activity.

GhostFetch: A downloader that establishes initial foothold and retrieves secondary payloads. Drops GhostBackDoor - an advanced implant providing persistent access, keylogging, screen capture, and data exfiltration capabilities.

CHAR: A Rust-based backdoor - MuddyWater's first known use of Rust for malware development. Rust provides memory safety guarantees that make the malware more stable and harder to reverse-engineer. The choice of Rust indicates a deliberate investment in tooling sophistication.

HTTP_VIP: An alternative downloader using HTTP-based communication, providing redundancy if Telegram-based channels are disrupted.

Telegram C2: Using Telegram's API for command-and-control makes traffic harder to distinguish from legitimate messaging activity. Multiple Telegram channels provide redundant C2 paths.

Group-IB's analysis confirmed that MuddyWater is using AI-assisted techniques in malware development. This represents a qualitative shift - the group is using AI to accelerate code generation, obfuscation, and potentially to adapt malware behavior based on target environment.

This aligns with the broader trend of state-sponsored groups incorporating AI into offensive operations, as documented by the UAE Cybersecurity Council's February 2026 report on AI-powered attack tools.

Initial access follows two paths: phishing emails with Microsoft Office documents containing malicious macro code, and exploitation of recently disclosed vulnerabilities on public-facing servers.

The phishing documents decode embedded payloads that provide remote control of compromised systems. The dual-vector approach ensures that organizations with strong email security can still be reached through unpatched internet-facing infrastructure.

Threat Actor:

• .MuddyWater / Earth Vetala / Mango Sandstorm / MUDDYCOAST
• .Sponsor: Iran MOIS

Malware Families:

• .GhostFetch - First-stage downloader
• .CHAR (LampoRAT) - Rust-based backdoor, first known MuddyWater use of Rust
• .HTTP_VIP - HTTP-based downloader, deploys AnyDesk
• .GhostBackDoor - Second-stage implant

C2 Domains:

• .codefusiontech[.]org
• .miniquest[.]org
• .promoverse[.]org
• .jerusalemsolutions[.]com

C2 IP Addresses:

• .162[.]0[.]230[.]185
• .209[.]74[.]87[.]100
• .143[.]198[.]5[.]41
• .209[.]74[.]87[.]67

Telegram C2:

• .Bot: stager_51_bot (ID: 8398566164, display name: Olalampo)

File Hashes:

• .SHA256: 81a6e6416eb7ab6ce6367c6102c031e2ae2730c3c50ab9ce0b8668fec3487848 (CHAR/LampoRAT)

Persistence:

• .Service name: MicrosoftVersionUpdater
• .Process masquerading as avp.exe (Kaspersky)

1. Macro Execution Policies - block VBA macros from internet-sourced Office documents

2. Telegram Traffic Monitoring - inspect and control Telegram API traffic at network boundaries

3. Rust Binary Analysis - invest in Rust reverse-engineering capabilities for SOC teams

4. Threat Intelligence Sharing - participate in MENA-specific threat intelligence platforms

5. Public-Facing Server Hardening - aggressive patching cadence for internet-exposed systems

Group-IB, The Hacker News, SC Media, SecurityOnline, Halcyon, ThousandGuards