MuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIP
The Iranian hacking group known as MuddyWater (aka Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has targeted organizations and individuals primarily located across the Middle East and North Africa (MENA) region as part of a new code-named campaign. Operation Olalampo.
The activity, first spotted on January 26, 2026, led to the deployment of new malware families that share overlapping samples previously identified as being used by the threat actor, according to a report published by Group-IB. These include downloaders such as GhostFetch and HTTP_VIP, as well as a Rust backdoor called CHAR and a code-enhanced installation called GhostBackDoor dropped by GhostFetch.
“This attack follows the same patterns and is consistent with the execution previously seen in the MuddyWater attack; it starts with a phishing email with a Microsoft Office document attached to it that contains malicious macro codes that determine the embedded volume and drop it into the system and execute it, providing the adversary with remote control of the system,” the company said.
Such an attack chain uses a malicious Microsoft Excel document encouraging users to enable macros to activate the infection and ultimately discard CHAR. Another variant of the same attack was found to lead to the use of the GhostFetch downloader, which then downloads GhostBackDoor.
A third version of the attack uses themes such as airline tickets and reports, as opposed to using decoys impersonating a Middle East energy and maritime company, to distribute the HTTP_VIP downloader using AnyDesk remote desktop software.
A brief description of these four tools is as follows:
- GhostFetcha first-class loader that profiles the system, verifies mouse movements and checks screen resolution, checks for the presence of debuggers, virtual machine artifacts, and antivirus software, and downloads and unloads secondary payloads directly from memory.
- GhostBackDoora second-tier backdoor provided by GhostFetch that supports an interactive shell, read/write file, and restart GhostFetch.
- HTTP_VIPa native downloader that runs system probes, connects to an external server (“codefusiontech[.]org”) to verify and uninstall AnyDesk from the C2 server. The new variant of the malware also adds the ability to obtain victim information and receive instructions to launch an interactive shell, download/upload files, capture clipboard contents, and update sleep/wakeup intervals.
- CHARa Rust backdoor controlled by Telegram bot (first name is “Olalampo” and username is “stager_51_bot”) to change directory and execute cmd.exe or PowerShell command.
The PowerShell command is designed to use a SOCKS5 reverse proxy or other backdoor called Kalim, upload stolen data to web browsers, and launch unknown executables called “sh.exe” and “gshdoc_release_X64_GUI.exe.”
Group-IB’s analysis of CHAR’s source code revealed signs of artificial intelligence (AI) development due to the presence of emojis in the debugging strings, a finding consistent with Google’s revelations last year that a threat actor is experimenting with artificial intelligence tools to support the development of malware to support file transfer and remote use.
Another notable feature is that CHAR shares the same structure and development environment as the Rust BlackBeard-based malware (also known as Archer RAT and RUSTRIC), which was flagged by CloudSEK and Seqrite Labs as being used by a threat actor to target various organizations in the Middle East.
MuddyWater has also been seen exploiting recently disclosed vulnerabilities in public-facing servers as a means of gaining initial access to target networks.
“The MuddyWater APT group remains an active threat within META [Middle East, Turkey, and Africa] region, with this work primarily targeting organizations in the MENA region,” concluded Group-IB. “The group’s continuous use of AI technology, combined with the continuous development of malware and tools and various Command-and-control (C2) infrastructure, underlines their commitment and intent to expand their operations.”
