Operation Olalampo: MuddyWater Unleashes AI-Assisted Rust Malware and Telegram C2 in MENA Espionage Surge

A new wave of targeted cyber-espionage is sweeping across the Middle East and North Africa (MENA) region. According to a comprehensive analysis by the Group-IB Threat Intelligence Team, the Iranian threat actor known as MuddyWater has launched a fresh campaign, dubbed “Operation Olalampo,” utilizing a suite of novel malware and high-tech development tactics.

First observed on January 26, 2026, the operation appears to align with ongoing geopolitical tensions in the region, targeting multiple organizations and individuals with surgical precision.

The most striking discovery of the investigation is the deployment of four previously unknown malware variants. These tools demonstrate a high level of technical sophistication and suggest a new era of automation for the group.

The new arsenal includes:

• CHAR: A stealthy backdoor written in the Rust programming language.
• GhostBackDoor: An advanced backdoor designed for deep persistence.
• GhostFetch and HTTP_VIP: Two specialized downloaders used to pull additional payloads into compromised environments.

“The Group-IB Threat Intelligence Team has identified several novel malware variants exhibiting tactical and technical overlap with samples previously attributed to the Muddy Water threat group,” the report states. Interestingly, researchers also identified “Indicators suggesting AI-assisted malware development,” highlighting how threat actors are now leveraging Large Language Models to accelerate their coding processes.

MuddyWater has also pivoted its Command-and-Control (C2) strategy, moving away from traditional server infrastructure in favor of legitimate communication platforms. One specific variant in this campaign “leveraged a Telegram bot as a command-and-control (C2) channel”.

By monitoring this Telegram C2 bot, Group-IB gained “valuable insight into MuddyWater’s post-exploitation activity, including executed commands, deployed tools, and data collection techniques”. The bot’s activity also revealed “limited historical usage in late 2025, indicating infrastructure reuse rather than a separate campaign”.

Despite the introduction of new languages like Rust, the underlying “tradecraft remains consistent with Muddy Water’s known operations”.

Technical analysis of the malware showed clear ties to the group’s past work. For instance, “The GhostFetch and GhostBackDoor employ the same string decoding techniques observed in other Muddy Water-linked malware”. Additionally, the CHAR backdoor shares a “similar structure and development environment as the Rust-based malware BlackBeard (aka ‘Archer RAT’)”.

“The MuddyWater APT group remains an active threat within the META region,with this operation primarily targeting organizations in the MENA region,” the report concludes.

As threat actors continue to integrate AI into their workflows and abuse popular platforms like Telegram for C2, the Group-IB team warns that “Post-exploitation activity strongly matching Muddy Water’s known toolset and operational patterns” will continue to challenge defenders across the globe.