INTELLIGENCE
ZERO|TOLERANCE
Intelligence Advisory
zerotolerance.me
HIGH

Operation Olalampo MuddyWater Deploys AI-Assisted Rust Malware Across MENA

Jan 26 - Mar 2026 · MENA espionage

Publication Date
2026-01-26
Category
Nation-State & Espionage
Author
K. Ellabban
Organization
Zero|Tolerance Security Research

On January 26, 2026, the Iranian state-aligned APT group MuddyWater - tracked by researchers as Earth Vetala (Trend Micro), Mango Sandstorm (Microsoft), and MUDDYCOAST (NATO) - launched a structured cyber offensive campaign designated Operation Olalampo. The campaign targets government and enterprise organizations across the Middle East and North Africa. Group-IB published a detailed analysis in February 2026, documenting new malware families, AI-assisted development techniques, and diversified command-and-control infrastructure.

Executive Summary

KEY FACTS

  • WhatIranian APT espionage campaign targeting MENA governments and enterprises.
  • WhoMuddyWater (MOIS-linked), one of Iran's most persistent cyber operations groups.
  • New MalwareGhostFetch, CHAR (Rust backdoor), HTTP_VIP, GhostBackDoor.
  • InnovationAI-assisted malware development - confirmed by researchers.
  • C2 Infrastructure: Telegram channels used for command-and-control.
  • TargetsGovernment ministries, defense, energy, telecommunications across Gulf states.
Incident Overview

WHAT HAPPENED

On January 26, 2026, MuddyWater - an Iranian state-aligned APT group linked to Iran's Ministry of Intelligence and Security (MOIS) - launched Operation Olalampo, a structured espionage campaign targeting government and enterprise organizations across the Middle East and North Africa. The group, tracked as Earth Vetala by Trend Micro, Mango Sandstorm by Microsoft, and MUDDYCOAST by NATO, deployed a new arsenal of malware families purpose-built for this campaign. Group-IB published a detailed technical analysis in February 2026, documenting the operation's scope and capabilities.

Initial access followed two parallel vectors: spear-phishing emails with malicious Office macros, and exploitation of recently disclosed vulnerabilities on public-facing servers. This dual-vector approach ensures that organizations with strong email filtering can still be reached through unpatched internet-exposed infrastructure.

The campaign introduced four new malware families and incorporated AI-assisted development techniques - both firsts for MuddyWater.

Analysis

THE MALWARE ARSENAL

GhostFetch: A downloader that establishes initial foothold and retrieves secondary payloads. Drops GhostBackDoor - an advanced implant providing persistent access, keylogging, screen capture, and data exfiltration capabilities.

CHAR: A Rust-based backdoor - MuddyWater's first known use of Rust for malware development. Rust provides memory safety guarantees that make the malware more stable and harder to reverse-engineer. The choice of Rust indicates a deliberate investment in tooling sophistication.

HTTP_VIP: An alternative downloader using HTTP-based communication, providing redundancy if Telegram-based channels are disrupted.

Telegram C2: Using Telegram's API for command-and-control makes traffic harder to distinguish from legitimate messaging activity. Multiple Telegram channels provide redundant C2 paths.

Analysis

THE AI DIMENSION

MuddyWater is using AI to accelerate code generation, obfuscation, and potentially to adapt malware behavior based on target environment. This represents a qualitative shift in the group's capability and aligns with the broader trend of state-sponsored groups incorporating AI into offensive operations, as documented by the UAE Cybersecurity Council's February 2026 report on AI-powered attack tools.

Detection

INDICATORS OF COMPROMISE

THREAT ACTOR
  • MuddyWater / Earth Vetala / Mango Sandstorm / MUDDYCOAST
  • SponsorIran MOIS
MALWARE FAMILIES
  • GhostFetch - First-stage downloader
  • CHAR (LampoRAT) - Rust-based backdoor, first known MuddyWater use of Rust
  • HTTP_VIP - HTTP-based downloader, deploys AnyDesk
  • GhostBackDoor - Second-stage implant
C2 DOMAINS
  • codefusiontech[.]org
  • miniquest[.]org
  • promoverse[.]org
  • jerusalemsolutions[.]com
C2 IP ADDRESSES
  • 162[.]0[.]230[.]185
  • 209[.]74[.]87[.]100
  • 143[.]198[.]5[.]41
  • 209[.]74[.]87[.]67
TELEGRAM C2
  • Botstager_51_bot (ID: 8398566164, display name: Olalampo)
FILE HASHES
  • SHA256: 81a6e6416eb7ab6ce6367c6102c031e2ae2730c3c50ab9ce0b8668fec3487848 (CHAR/LampoRAT)
PERSISTENCE
  • Service nameMicrosoftVersionUpdater
  • Process masquerading as avp.exe (Kaspersky)
Assessment

ZERO|TOLERANCE Advisory

1

Macro Execution Policies - block VBA macros from internet-sourced Office documents

2

Telegram Traffic Monitoring - inspect and control Telegram API traffic at network boundaries

3

Rust Binary Analysis - invest in Rust reverse-engineering capabilities for SOC teams

4

Threat Intelligence Sharing - participate in MENA-specific threat intelligence platforms

5

Public-Facing Server Hardening - aggressive patching cadence for internet-exposed systems

References

SOURCES

Group-IB, The Hacker News, SC Media, SecurityOnline, Halcyon, ThousandGuards

Related Analysis

Related Intelligence

MuddyWater Pre-Positions Dindoor and Fakeset Backdoors on US Bank, Airport, Defense Networks
Mar 5, 2026 · US bank & airport · Iranian APT
March 2026 Threat Brief: The Month Everything Hit at Once
Mar 31, 2026 · 29 incidents · 20+ countries
149 Hacktivist DDoS Attacks Hit 110 Organizations Across 16 Countries
Feb 28 - Mar 2, 2026 · 149 attacks
Chafer APT39: Iranian Espionage Campaign Targets Kuwait Government
2018-2020 · State-sponsored
MORE NATION-STATE & ESPIONAGE →