MuddyWater Deploys GhostFetch and Telegram-Based Backdoors

Iranian threat group MuddyWater has launched a fresh espionage campaign against organizations across the Middle East and North Africa, deploying four previously undocumented malware families that use Telegram bots for command-and-control, according to new research from Group-IB.

The campaign, tracked as Operation Olalampo, was first observed on January 26, 2026, and marks another evolution in the group's persistent targeting of the META region.

New Malware Arsenal

Group-IB's analysis identified four distinct malware families working in concert:

GhostFetch serves as the first-stage downloader. Before executing payloads, it profiles target systems by validating mouse movements, checking screen resolution to detect headless environments, and scanning for antivirus software. Payloads execute directly in memory to avoid disk-based detection.

GhostBackDoor arrives via GhostFetch and provides attackers with an interactive shell, file read/write capabilities, and the ability to re-execute GhostFetch for persistence.

HTTP_VIP is a native downloader that conducts system reconnaissance before authenticating with a C2 server at codefusiontech[.]org. It deploys AnyDesk for remote access—a technique we've seen MuddyWater use before in their credential harvesting campaigns against Middle Eastern targets.

CHAR is a Rust-based backdoor controlled entirely through a Telegram bot with the username "stager_51_bot" and first name "Olalampo"—the namesake for the operation. It executes cmd.exe or PowerShell commands on demand.

Signs of AI-Assisted Development

Group-IB researchers noted peculiar artifacts in CHAR's code, including emoji characters embedded in debug strings. Combined with structural similarities to other malware families like BlackBeard and RUSTRIC, analysts assess the developers may be leveraging generative AI tools to accelerate development.

This mirrors a broader pattern. Iranian APT groups have been experimenting with AI tools including Google Gemini to synthesize reconnaissance data and generate phishing content. The operational tempo of Iranian groups has visibly increased alongside AI adoption.

Attack Chain

Infections begin with phishing emails containing malicious Microsoft Office documents. Attackers use region-specific lures including flight tickets, energy sector reports, and marine services company impersonations.

Once victims enable macros, the infection branches into two paths:

1. Malicious Excel files deploy the CHAR backdoor
2. GhostFetch downloads and installs GhostBackDoor

HTTP_VIP variants then deploy AnyDesk for hands-on keyboard access, giving operators full remote control of compromised systems.

Who's Being Targeted

The campaign focuses on organizations and individuals across the MENA region, consistent with MuddyWater's historical targeting patterns. Previous campaigns have hit government agencies, telecommunications providers, and energy sector organizations.

MuddyWater—also tracked as Earth Vetala, Mango Sandstorm, and MUDDYCOAST—operates as part of Iran's Ministry of Intelligence and Security (MOIS). The group has maintained persistent operations against Middle Eastern targets for years. For context on Iran's broader cyber toolkit, our coverage of the Infy malware's evolution with blockchain-based C2 illustrates the continued innovation in their tradecraft.

Indicators of Compromise

Organizations should monitor for:

• Connections to codefusiontech[.]org
• Telegram API calls to bot endpoints from enterprise systems
• AnyDesk installations on systems where it wasn't authorized
• In-memory execution patterns following Office macro activation

Defensive Recommendations

1. Block execution of macros in Office documents from external sources
2. Monitor for unauthorized remote access tool installations
3. Implement network segmentation to limit lateral movement
4. Add known IOCs to detection systems and threat feeds
5. Review logs for Telegram API connections from corporate networks

The continued expansion of MuddyWater's malware arsenal underscores their commitment to maintaining long-term access in the region. Organizations in the MENA should treat this as an active threat requiring immediate attention. For broader guidance on defending against nation-state threats, see our social engineering defense guide.