{
  "name": "Operation Olalampo: Inside MuddyWater's Latest Campaign",
  "slug": "operation-olalampo-inside-muddywaters-latest-campaign",
  "description": "MuddyWater APT has launched Operation Olalampo, targeting organizations in the MENA region. The campaign involves new malware variants, including a Rust backdoor called CHAR, downloaders GhostFetch and HTTP_VIP, and an advanced backdoor GhostBackDoor. Notably, the group is using Telegram bots for command-and-control, revealing insights into their post-exploitation tactics. The operation, first observed on January 26, 2026, shows tactical and technical overlaps with previous MuddyWater activities. Key discoveries include potential AI-assisted malware development and infrastructure reuse dating back to October 2025. The campaign aligns with ongoing geopolitical tensions and provides valuable information on the threat actor's evolving techniques.",
  "published": "2026-02-23T09:13:38+00:00",
  "created_at": "2026-02-23T09:13:38+00:00",
  "modified_at": "2026-02-23T09:20:43+00:00",
  "created_at_opencti": "2026-02-23T09:13:38+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-02-23",
    "ai-assisted",
    "apt",
    "c2",
    "charmpower",
    "ghostbackdoor",
    "ghostfetch",
    "http_vip",
    "mena",
    "operation olalampo",
    "post-exploitation",
    "rust backdoor",
    "telegram bot"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "209.74.87.100"
      },
      {
        "id": "",
        "name": "209.74.87.67"
      },
      {
        "id": "",
        "name": "143.198.5.41"
      },
      {
        "id": "",
        "name": "162.0.230.185"
      },
      {
        "id": "",
        "name": "e25892603c42e34bd7ba0d8ea73be600d898cadc290e3417a82c04d6281b743b"
      },
      {
        "id": "",
        "name": "3a19c19d9f3bac6628a968110477ee01e5867b2534e914e1be5c4485947bd819"
      },
      {
        "id": "",
        "name": "cb08fd349397af4528cb8cd94cc69434388747f93424da44c31169ccddc876ac"
      },
      {
        "id": "",
        "name": "ef22f16d56334c01032bba80144e98a5dfb2eb87ce839411ea82d1e3ee4d0cef"
      },
      {
        "id": "",
        "name": "556e86667fcaee82976e83a653acb73a3e953f3560a5ba5aa7fc75a6d1a2c399"
      },
      {
        "id": "",
        "name": "aee523056d602571ff006565b432148715a6a13d098d518ba8131ccbe719c043"
      },
      {
        "id": "",
        "name": "3fa148e2d3fb86cecc15c276c5329496beba9aba14a6024b561efabf2e4e68af"
      },
      {
        "id": "",
        "name": "9b4cd87d338d2fcf30d75f9e5c7abb8be085dc8c4f573df19597b872d8ae8c2d"
      },
      {
        "id": "",
        "name": "81a6e6416eb7ab6ce6367c6102c031e2ae2730c3c50ab9ce0b8668fec3487848"
      },
      {
        "id": "",
        "name": "c91413ad7c94c0e2694862b9d671d1204873bf65576ba2cb91fbd562a4ccf79b"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:fac04b11d9f42771",
        "name": "CharmPower - S0674",
        "slug": "charmpower-s0674"
      },
      {
        "id": "legacy:malware:9d2cc9a75dca570f",
        "name": "GhostFetch",
        "slug": "ghostfetch"
      },
      {
        "id": "legacy:malware:6d920e9aac426551",
        "name": "GhostBackDoor",
        "slug": "ghostbackdoor"
      },
      {
        "id": "legacy:malware:1329c34f1e0c32e8",
        "name": "HTTP_VIP",
        "slug": "http_vip"
      }
    ],
    "intrusion_sets": [
      {
        "id": "98b7af71-8465-4bc4-9526-3bd1a8ac5f59",
        "name": "MuddyWater",
        "slug": "muddywater"
      }
    ],
    "attack_patterns": [
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5",
        "name": "T1056"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d",
        "name": "T1053"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b",
        "name": "T1033"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "codefusiontech.org"
      },
      {
        "id": "",
        "name": "jerusalemsolutions.com"
      },
      {
        "id": "",
        "name": "promoverse.org"
      },
      {
        "id": "",
        "name": "miniquest.org"
      }
    ]
  },
  "external_refs": [
    "https://www.group-ib.com/blog/muddywater-operation-olalampo/",
    "https://otx.alienvault.com/pulse/699c2852f2e41e1678d750b5"
  ]
}