Iranian APT MuddyWater Orchestrates Operation Olalampo Targeting MENA Infrastructure

Campaign Overview: Operation Olalampo

Recent telemetry identifies a concentrated campaign by the Iranian state-sponsored threat actor MuddyWater (also tracked as Earth Vetala, Mango Sandstorm, and MUDDYCOAST). Commencing on January 26, 2026, the activity designated as “Operation Olalampo” focuses on entities across the Middle East and North Africa (MENA) region. The campaign is characterized by the deployment of three previously undocumented malware families: GhostFetch, CHAR, and HTTP_VIP.

Technical Malware Analysis

The operation utilizes a multi-stage infection chain designed for persistence and data exfiltration.

GhostFetch

GhostFetch functions as a sophisticated downloader and initial access tool. It utilizes custom obfuscation routines to bypass endpoint detection and response (EDR) solutions. Once executed, it performs environment fingerprinting before establishing a secure channel to its command-and-control (C2) server to pull secondary payloads.

CHAR

CHAR appears to be a specialized post-exploitation module. Analysts have observed this tool performing credential harvesting from local browsers and memory dumps. It facilitates lateral movement by leveraging compromised administrative credentials within the target network.

HTTP_VIP

HTTP_VIP serves as the primary C2 communication bridge. It leverages HTTP-based tunneling to blend in with legitimate web traffic, making detection via traditional firewalls difficult. This malware family exhibits modular capabilities, allowing the operators to push custom scripts and additional binaries depending on the target’s internal environment.

TTPs and Infrastructure Scanning

MuddyWater’s tactics involve high-volume spear-phishing campaigns containing malicious attachments or links to compromised cloud storage providers. The group frequently conducts reconnaissance on external-facing assets to identify misconfigurations. Organizations can enhance their resilience against such reconnaissance by utilizing Pocket Pentest for periodic infrastructure scanning and validation of their defensive perimeters.

Indicators of Compromise (IoCs)

• Malware Hashes (SHA-256):
  • 7d3e... (GhostFetch Downloader)
  • a1f2... (CHAR Module)
  • b9c8... (HTTP_VIP C2 Agent)
• C2 Infrastructure:
  • 185.161.x.x (Port 443)
  • 91.235.x.x (Port 80)

Defensive Recommendations

1. Network Segmentation: Isolate critical infrastructure to prevent lateral movement via CHAR modules.
2. Traffic Analysis: Monitor for irregular HTTP headers and anomalous outbound traffic patterns associated with HTTP_VIP.
3. Endpoint Hardening: Implement strict application whitelisting and monitor for unauthorized processes spawning from common office productivity software.