The threat actor group known as MuddyWater (also tracked as TA450 or Seedworm) has initiated a new campaign, designated "Operation Olalampo," affecting organizations across the Middle East and Africa. This activity involves the deployment of several new custom malware strains and indicates a shift in the group’s development methodologies, including the apparent use of artificial intelligence tools to generate code.
According to findings released by Group-IB, this campaign primarily utilizes spear-phishing emails to gain initial access. While this remains the group's standard entry method, researchers also noted evidence suggesting the actor attempted to identify vulnerabilities in public-facing servers during this period. The operation targets entities such as energy and marine services companies, as well as system integrators.
Technical Analysis of New Malware Strains
The campaign introduces multiple distinct execution chains, leading to the deployment of novel second-stage loaders and backdoors.
The Char Backdoor and AI Artifacts One primary infection chain utilizes a malicious Microsoft Excel document designed to mimic communication from an energy and marine services company. This file deploys "Char," a Rust-based backdoor that uses a Telegram bot for command-and-control (C2) communication.
Analysis of the Char backdoor revealed artifacts suggesting the use of AI in its development. Researchers identified debug strings containing emojis within one of the command handlers—an anomaly not typically found in human-authored code. Group-IB noted that the actor likely used a large language model (LLM) to generate specific code segments and compiled the tool without sanitizing these debug strings. Similar patterns appeared in the C2 logs retrieved from the Telegram bot.
GhostFetch and GhostBackDoor A second variation of the campaign uses similar document lures but deploys a downloader named "GhostFetch." This tool subsequently retrieves "GhostBackDoor," a persistent access tool capable of adapting its installation routine based on the privilege level of the compromised environment.
HTTP_VIP and RMM Abuse The third observed variant employs Microsoft Word documents with themes related to flight tickets or reports. These files deploy a new downloader called "HTTP_VIP." This malware performs system reconnaissance and includes a safety check that terminates execution if specific hard-coded domains are detected. Upon successful execution, HTTP_VIP installs the remote monitoring and management (RMM) tool Anydesk to establish persistent remote access.
Operational Evolution and Defense
MuddyWater, which is linked to Iran's Ministry of Intelligence and Security (MOIS), has continued to refine its operational security since its emergence in 2017. Previous analysis by ESET highlighted the group's move toward stealthier techniques, such as memory-only loaders and custom backdoors designed to evade detection. The reuse of infrastructure in Operation Olalampo, combined with the integration of AI-generated code, suggests an ongoing effort to scale development capabilities while maintaining established tactics.
Security teams can detect and mitigate this activity by monitoring for the specific indicators of compromise (IoCs), YARA rules, and EDR signatures detailed in the Group-IB report. To protect against these vectors, organizations should prioritize:
Email Security: Enhanced filtering to detect malicious macros and suspicious attachments.
Endpoint Controls: Strict monitoring of legitimate RMM tools like Anydesk to ensure they are only used for authorized administrative tasks.
Network Segmentation: Restricting outbound traffic to known C2 channels, such as unauthorized Telegram API communication.