MuddyWater APT Deploys AI-Assisted Malware in MENA Cyber Espionage Campaign

The Iranian advanced persistent threat (APT) group MuddyWater has launched a sophisticated cyber espionage campaign targeting organizations across the Middle East and North Africa (MENA) region, deploying a suite of new malware tools that demonstrate the group's evolving capabilities and adoption of artificial intelligence in their development process.

Operation Olalampo: A New Chapter in MuddyWater's Campaign

The campaign, dubbed Operation Olalampo, was first observed on January 26, 2026, and represents a significant escalation in MuddyWater's targeting of MENA organizations. According to a comprehensive report by cybersecurity firm Group-IB, the threat actor has deployed multiple new malware families while maintaining their signature attack patterns that have characterized their operations for years.

MuddyWater, also known by aliases including Earth Vetala, Mango Sandstorm, and MUDDYCOAST, has established itself as one of Iran's most persistent cyber espionage groups. The group has historically focused on government agencies, telecommunications companies, and critical infrastructure across the Middle East, with their operations often serving Iranian national interests.

The Attack Chain: From Phishing to Full System Compromise

The attack methodology follows a familiar pattern that has proven effective for MuddyWater. The campaign begins with phishing emails containing malicious Microsoft Office documents as attachments. These documents contain embedded macro code that, when enabled by unsuspecting users, decodes and executes the initial payload.

Group-IB's analysis reveals three distinct attack variants, each leading to different malware deployments:

Variant 1: CHAR Backdoor Deployment One attack chain employs a malicious Microsoft Excel document that prompts users to enable macros. Once activated, the infection drops CHAR, a sophisticated Rust-based backdoor that establishes persistent access to compromised systems.

Variant 2: GhostFetch and GhostBackDoor Chain Another variant leads to the deployment of GhostFetch, a first-stage downloader that performs extensive system profiling before fetching and executing secondary payloads directly in memory. GhostFetch subsequently drops GhostBackDoor, a second-stage implant that provides comprehensive remote access capabilities including interactive shell access, file manipulation, and the ability to re-run GhostFetch.

Variant 3: HTTP_VIP and AnyDesk Deployment A third attack variant uses socially engineered themes such as flight tickets and reports, contrasting with earlier lures that mimicked energy and marine services companies in the Middle East. This approach distributes the HTTP_VIP downloader, which ultimately deploys AnyDesk remote desktop software, providing the attackers with direct remote access to victim systems.

The Malware Arsenal: Four Sophisticated Tools

GhostFetch: The Intelligent Downloader

GhostFetch serves as the initial access tool in many attack chains. Beyond simple payload delivery, it incorporates several defensive evasion techniques:

• System profiling to identify potential targets
• Mouse movement validation and screen resolution checks
• Debugger detection mechanisms
• Virtual machine artifact identification
• Antivirus software detection

Once it completes its reconnaissance, GhostFetch fetches and executes secondary payloads directly in memory, minimizing forensic evidence on disk.

GhostBackDoor: The Persistent Implant

Delivered by GhostFetch, GhostBackDoor provides comprehensive backdoor functionality:

• Interactive shell access for command execution
• File read/write operations for data exfiltration
• Ability to re-run GhostFetch for persistence
• Memory-resident operation to avoid disk-based detection

HTTP_VIP: The Native Downloader

HTTP_VIP represents a more traditional downloader approach but with enhanced capabilities:

• System reconnaissance before connecting to command and control
• Authentication with external servers (notably codefusiontech[.]org)
• Deployment of AnyDesk remote desktop software
• Recent variants include victim information retrieval
• Support for interactive shell, file transfer, clipboard capture, and sleep interval management

CHAR: The AI-Assisted Rust Backdoor

CHAR stands out as particularly noteworthy due to its development characteristics. This Rust-based backdoor is controlled through a Telegram bot with the username "stager_51_bot" and first name "Olalampo."

The backdoor supports various commands including directory changes, command execution via cmd.exe or PowerShell, SOCKS5 reverse proxy establishment, and execution of additional backdoors like Kalim. It also includes capabilities for stealing data from web browsers and executing unknown executables referred to as "sh.exe" and "gshdoc_release_X64_GUI.exe."

AI-Assisted Development: A New Frontier

Group-IB's analysis of CHAR's source code revealed compelling evidence of artificial intelligence-assisted development. The presence of emojis in debug strings suggests the use of generative AI tools during the malware's creation. This finding aligns with Google's previous revelations that MuddyWater is experimenting with AI tools to support custom malware development, particularly for file transfer and remote execution capabilities.

This adoption of AI in malware development represents a concerning trend in the cybersecurity landscape. AI-assisted development can accelerate the creation of sophisticated malware, potentially allowing threat actors to produce more complex and evasive tools in shorter timeframes.

Connections to Other MuddyWater Tools

The CHAR backdoor shares structural and developmental similarities with BlackBeard, also known as Archer RAT and RUSTRIC. This Rust-based malware was previously identified by CloudSEK and Seqrite Labs as being used by MuddyWater to target various entities in the Middle East. The shared development environment and architectural patterns suggest a common development methodology within the group.

Exploitation of Public-Facing Vulnerabilities

Beyond their phishing campaigns, MuddyWater has been observed exploiting recently disclosed vulnerabilities on public-facing servers. This approach provides an alternative initial access vector, allowing the group to compromise networks without relying solely on social engineering tactics.

Implications for MENA Organizations

The targeting of MENA organizations by MuddyWater reflects the geopolitical interests that often drive Iranian cyber operations. The region's strategic importance, combined with the presence of critical infrastructure and government entities, makes it an attractive target for state-sponsored espionage groups.

Organizations in the affected region should be particularly vigilant, implementing multiple layers of defense including:

• Enhanced email filtering and user awareness training
• Network segmentation to limit lateral movement
• Endpoint detection and response capabilities
• Regular patching of public-facing systems
• Network traffic monitoring for anomalous C2 communications

The Evolution of MuddyWater

Group-IB's assessment concludes that MuddyWater remains an active and evolving threat within the MENA region. The group's continued adoption of AI technology, combined with the development of custom malware and diversified command-and-control infrastructures, demonstrates their commitment to expanding operations and maintaining operational effectiveness.

The use of Telegram bots for command and control, the deployment of memory-resident malware, and the integration of AI-assisted development all point to a threat actor that is adapting to modern defensive techniques while maintaining their core mission of cyber espionage.

As MuddyWater continues to evolve, organizations across the Middle East and North Africa must remain vigilant and proactive in their defensive posture. The combination of traditional attack methods with cutting-edge development techniques makes this group a persistent and sophisticated adversary in the region's cybersecurity landscape.