Olalampo operation: MuddyWater bursts defences with macros, Rust and IA

A few weeks ago, security investigators re-opened the alarms for the activity of an old acquaintance: the Iranian group known as MuddyWater. According to the analysis published by the firm Group-IB, the campaign called "Operation Olalampo" has deployed a new collection of tools and has renewed the old tactics that already characterize this actor: phishing emails with Office documents that, if the victim enables macros, trigger a chain of infection to get remote control of the team.

The operation, observed since the end of January 2026 and concentrated mainly on organizations in the MENA region, combines first-stage discards with more sophisticated implants. Some of the names in the report, such as GhostFetch and HTTP _ VIP, act as initial system profiles and as bridges to run in "memory" secondary loads, while implants such as CHAR - written in Rust and controlled by a Telegram bot - and GhostBackDoor provide persistent access capabilities and remote operation.

The striking is not just the variety of tools, but how they chain up.. In some cases the entry point is an Excel file that requests to allow macros; by activating them it decodes and writes on the disk a binary in Rust (CHAR). In other variants the macro delivers GhostFetch, which in turn downloads GhostBackDoor directly into memory, avoiding leaving artifacts easy to detect. Another path of infection uses less technical lures - such as plane tickets or reports - to distribute HTTP _ VIP, a native download that has also been observed by deploying the legitimate AnyDesk remote access software.

The downloads of this campaign show a level of sophistication that seeks to evade automated analysis environments: they validate mouse movements, screen resolution and look for signs of virtual machines, debugging or antivirus. This type of checks is not new, but they do reveal the intention to avoid sandboxes and show careful work in the initial stage of the intrusion..

The use of Rust to develop backdoors like CHAR is not anecdotal. Language, appreciated for its performance and for producing autonomous executables, is increasingly being chosen by malicious operators. Group-IB even detected unusual signs in the code that suggest the participation of artificial intelligence tools in the development process - for example, emojis debugging chains - something that connects with previous reports on IA-assisted generation tests in malware projects. To understand the global picture of Progress and analysis of these threats, it is appropriate to review the documentation and alerts of teams dedicated to cybersecurity, such as Google's work in its Threat Analysis Group.

In addition to speed-phishing and local evasion techniques, MuddyWater has not abandoned the exploitation of public vulnerabilities on exposed servers for initial access. This duality - to tie both the end user by social engineering and public infrastructure without patching - is the one that amplifies the potential impact of the campaign and complicates the defence work.

As for functionalities, the set of tools detected allows the adversary to obtain a fairly complete control: remote command execution, file transfer, interactive shells opening, browser data theft and the possibility of running SOCKS5 proxys or additional components like other backdoors. The use of diversified infrastructure and channels such as Telegram to control implants demonstrates the preference for flexible and hard-to-block methods..

For organizations and managers, this poses specific challenges. The first line of defence remains user awareness: not to enable macros in documents of unknown origin and to adopt policies that block macros of downloaded files from the Internet. Microsoft publishes practical recommendations on how to reduce the risk associated with macros in Office in its technical documentation ( see Microsoft guide).

In parallel, it is essential to strengthen the technical perimeter: constant parking of exposed services to avoid intrusions by known vulnerabilities, monitoring of domains and outgoing traffic that point to control and control servers, and locking rules for unauthorized remote access software, such as AnyDesk when not managed by the IT team. Modern detection tools should look at both memory behavior and C2 interaction signals; in order to understand common techniques and tactics it is appropriate to review reference frameworks or MITRE ATT & CK.

Group-IB research offers commitment indicators, techniques and TTPCs that organizations should incorporate into their intelligence and response processes. Consult the original report helps identify domains, hashes and patterns that will facilitate the search for infections and the cleaning of affected environments. You can access the complete analysis in the Group-IB report: Operation Olalampo - Group-IB.

Finally, the case again highlights a worrying trend: state-sponsored groups or groups with advanced capacities not only refine technical tools, but incorporate new resources - among them, possible developing IA assistance- that accelerate the creation and evolution of malware. The response requires a combination of basic digital hygiene measures, deep technical controls and international cooperation in information sharing. The discussion on how to protect critical infrastructure and organizations in areas of high geopolitical exposure remains urgent and necessary.