What happened
Iran-linked advanced persistent threat group MuddyWater has launched a new cyberespionage campaign, dubbed Operation Olalampo, targeting organizations across the Middle East and North Africa (MENA) with a suite of custom malware and multi-stage tooling.
Who is affected
A range of organizations and individuals, primarily in the MENA region, have been hit, with phishing emails used to deliver downloaders like GhostFetch and HTTP_VIP, a Rust-based backdoor named CHAR, and a second-stage implant called GhostBackDoor.
Why CISOs should care
This campaign demonstrates MuddyWater’s evolving capabilities, including the use of sophisticated malware, AI-influenced development techniques, diversified command-and-control channels, and traditional social engineering via malicious Office documents. Such activity increases risk of unauthorized access, data theft, and long-term persistence inside compromised networks.
3 Practical Actions
- Enhance phishing defenses: Implement stricter email filtering and sandboxing for attachments, and enforce policies blocking macro-enabled documents from external senders.
- Endpoint protection and monitoring: Deploy advanced endpoint detection and response (EDR) with behavioral analytics to catch loader and backdoor activity like GhostFetch and CHAR.
- Threat intelligence and patching: Consume up-to-date threat feeds to understand evolving MuddyWater TTPs, and prioritize patching of known exploited vectors along with proactive hunt exercises.