|
 |
Operation Olalampo is a cyber-espionage campaign attributed to the Iranian state-aligned Advanced Persistent Threat (APT) group MuddyWater. Identified by Group-IB threat intelligence researchers, the campaign represents a continuation of MuddyWater’s long-standing strategy of targeting organizations across geopolitically significant regions, particularly the Middle East and North Africa (MENA). First observed on 26 January 2026, Operation Olalampo demonstrates the group’s increasing technical sophistication and operational maturity, particularly through the deployment of custom malware families, the use of novel command-and-control (C2) channels, and evidence of artificial intelligence-assisted development practices.
MuddyWater is widely believed to operate on behalf of Iranian intelligence interests and has been active since approximately 2017. The group focuses primarily on intelligence collection and long-term persistence within compromised networks. Their victims typically include government agencies, telecommunications companies, financial institutions, and other organizations of strategic importance.
Operation Olalampo highlights how state-sponsored threat actors continue to refine their tactics, techniques, and procedures (TTPs) in order to maintain effectiveness against modern defensive systems. This report provides a comprehensive analysis of Operation Olalampo, including threat actor background, targeting strategy, attack methodology, malware toolkit, infrastructure, and broader cybersecurity implications.
Who is MuddyWater?
MuddyWater is an Iranian APT group known by numerous aliases, including Seedworm, TA450, Mango Sandstorm, and Earth Vetala. The group is believed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS) and conducts cyber-espionage campaigns aligned with Iranian geopolitical interests.
Since its emergence, MuddyWater has focused on intelligence gathering rather than financial gain. Its campaigns typically seek long-term access to targeted networks, allowing attackers to extract sensitive information over extended periods.
Typical MuddyWater targets include:
Government institutions
Energy and infrastructure companies
Telecommunications providers
Defense contractors
Academic institutions
Financial organizations
The group’s operations often align with Iranian strategic priorities, particularly in the Middle East. However, MuddyWater activity has also been observed in Europe and North America, indicating an expanding operational scope.
Historically, MuddyWater has relied heavily on phishing attacks and PowerShell-based malware. Over time, however, the group has evolved toward custom-built malware frameworks and diversified infrastructure to evade detection.
Operation Olalampo represents a significant stage in this evolution.
Overview of Operation Olalampo
Operation Olalampo is a coordinated cyber-espionage campaign targeting organizations and individuals primarily in the Middle East and North Africa. The campaign involves a multi-stage infection chain designed to establish persistent remote access to victim systems.
The campaign uses several new malware families, including:
GhostFetch
GhostBackDoor
HTTP_VIP
CHAR
These tools work together as part of a structured attack chain, beginning with phishing emails and ending with full remote control of compromised systems.
Despite the introduction of new tools and programming languages, the operation maintains consistent tradecraft with previous MuddyWater campaigns.
This continuity helps analysts confidently attribute the operation to MuddyWater.
Targeting Strategy
Operation Olalampo primarily targets organizations across the MENA region, including both government and private-sector entities.
The choice of targets suggests intelligence-gathering objectives aligned with regional political tensions.
Victims include:
Government agencies
Corporate organizations
Infrastructure operators
Individual professionals
The campaign uses carefully designed phishing lures that mimic legitimate business communications. Examples include:
Flight ticket confirmations
Corporate reports
Energy-sector communications
These lures increase the likelihood that recipients will open malicious attachments.
The targeting pattern reflects MuddyWater’s traditional focus on strategic intelligence rather than indiscriminate attacks.
Initial Access: Phishing and Social Engineering
The primary entry point for Operation Olalampo is spear-phishing emails containing malicious Microsoft Office attachments.
These attachments typically consist of Excel documents that contain embedded macros.
When a victim opens the document and enables macros, malicious code executes automatically.
The macro code:
Decodes embedded payloads
Writes files to the system
Executes malware components
This approach is consistent with MuddyWater’s previous campaigns and demonstrates continued reliance on social engineering techniques.
Phishing remains effective because it exploits human trust rather than technical vulnerabilities.
Malware Architecture
Operation Olalampo uses a modular malware architecture designed to support flexibil