MuddyWater APT Targets MENA Organizations with GhostFetch, CHAR, and HTTP

Post Views: 18

MuddyWater APT Group Targets MENA Organizations with Advanced Malware Tools

A recent campaign by the Iranian threat actor known as MuddyWater has targeted organizations in the Middle East and North Africa (MENA) region, deploying new malware families and leveraging advanced tactics to gain remote access to victim systems.

Operation Olalampo

Dubbed Operation Olalampo, the campaign was first observed on January 26, 2026, and has been linked to the group’s continued use of artificial intelligence (AI) technology to support its malicious activities.

The attack chain typically begins with a phishing email containing a malicious Microsoft Office document, which prompts the user to enable macros to activate the infection. Once executed, the malware drops additional payloads, including the GhostFetch and CHAR backdoors, which provide the attackers with remote control of the compromised system.

GhostFetch and CHAR Backdoors

GhostFetch is a first-stage backdoor that supports an interactive shell, file read/write, and re-run capabilities, while CHAR is a Rust-based backdoor controlled by a Telegram bot. The bot, named “Olalampo,” is used to execute commands, upload stolen data, and run unknown executables.

Group-IB’s analysis of CHAR’s source code has revealed signs of AI-assisted development, including the presence of emojis in debug strings. This finding is consistent with previous reports that MuddyWater is experimenting with generative AI tools to support the development of custom malware.

Exploiting Vulnerabilities and Adopting Diversified C2 Infrastructures

The use of AI technology is not the only notable aspect of this campaign. MuddyWater has also been observed exploiting recently disclosed vulnerabilities on public-facing servers to gain initial access to target networks. Additionally, the group’s adoption of diversified command-and-control (C2) infrastructures underscores its dedication to expanding its operations.

Conclusion

The MuddyWater APT group remains an active threat within the META region, with this operation primarily targeting organizations in the MENA region. The group’s continued development of custom malware and tooling, combined with its use of AI technology, makes it a formidable opponent for cybersecurity professionals.

Recommendations

In response to this threat, organizations are advised to remain vigilant and implement robust security measures to prevent and detect MuddyWater’s tactics, techniques, and procedures (TTPs). This includes monitoring for suspicious activity, implementing patches for known vulnerabilities, and educating users about the risks of phishing and social engineering attacks.