As part of a new campaign codenamed Operation Olalampo, the Iranian hacker collective known as MuddyWater (also known as Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has targeted a number of organizations and individuals primarily situated throughout the Middle East and North Africa (MENA) region. The company claimed that these attacks "follow similar patterns and align with the killchains previously observed in MuddyWater attacks; starting with a phishing email with a Microsoft Office document attached that contains malicious macro code that decodes the embedded payload and drops it on the system and executes it, giving the adversary remote control of the system." Using a malicious Microsoft Excel document, one such attack chain asks users to enable macros, which activates the infection and eventually drops CHAR.

It has been discovered that an additional variation of the same attack causes the GhostFetch downloader to be deployed, which subsequently downloads GhostBackDoor. Instead of using lures that imitate a Middle Eastern energy and marine services company, a third version of the attack uses themes like flight tickets and reports to distribute the HTTP_VIP downloader, which then launches the AnyDesk remote desktop software. The four tools are as follows: GhostFetch is a first-stage downloader that profiles the system, verifies mouse movements and screen resolution, looks for antivirus software, debuggers, and virtual machine artifacts, and fetches and runs secondary payloads straight from memory.

An interactive shell, file read/write, and re-running GhostFetch are all supported by GhostBackDoor, a second-stage backdoor that GhostFetch delivers. To authenticate and deploy AnyDesk from the C2 server, HTTP_VIP, a native downloader that performs system reconnaissance, establishes a connection with an external server ("codefusiontech[.]org"). Retrieving victim information and instructions to launch an interactive shell, download and upload files, capture the contents of the clipboard, and adjust the sleep/beaconing interval are additional features of a new malware variant.

CHAR is a Rust backdoor that allows a Telegram bot (usernamed "stager_51_bot" and first name "Olalampo") to switch directories and run a PowerShell or cmd.exe command.

The PowerShell command is intended to run unknown executables called "sh.exe" and "gshdoc_release_X64_GUI.exe," upload data taken from web browsers, and launch a SOCKS5 reverse proxy or another backdoor called Kalim. In line with Google's disclosures last year that the threat actor is experimenting with generative AI tools to support the development of custom malware to support file transfer and remote execution, Group-IB's analysis of CHAR's source code has shown indications of artificial intelligence (AI)-assisted development due to the presence of emojis in debug strings. In order to gain first access to target networks, MuddyWater has also been seen taking advantage of recently revealed flaws on servers that are visible to the public.

Group-IB came to the conclusion that "the MuddyWater APT group remains an active threat within the META region, with this operation primarily targeting organizations in the MENA region." "The group's ongoing use of AI technology, along with their ongoing creation of unique malware and tools and a variety of command-and-control (C2) infrastructures, demonstrate their commitment to growing their business.