MuddyWater GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor malware activity
Malware Activity
Summary
Hide ▲
Show ▼
MuddyWater's new malware toolkit now includes GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor, extending multi-stage delivery and remote-control capability against targeted systems. The activity was first observed on January 26, 2026 and focused on organizations and individuals in MENA. One infection path used phishing emails with malicious Office documents to drop payloads through macros, while another deployed AnyDesk. The tooling adds reconnaissance, shell access, file transfer, and data collection functions that increase operational reach.
Related Happenings
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware Activity
H score49
First: 02.06.2026 21:21
Last: 02.06.2026 21:21
Sources 1
About this happening:
**Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware ActivityAbout this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Latest development: 09.06.2026 15:26
Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.
MuddyWater broad cyber-espionage campaign across sectors and countries
Campaign
H score37
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
**MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MuddyWater broad cyber-espionage campaign across sectors and countries
CampaignAbout this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
UnsolicitedBooker Central Asian telecom phishing campaign
Campaign
H score31
First: 24.02.2026 11:54
Last: 24.02.2026 11:54
Sources 1
About this happening:
The **UnsolicitedBooker** cluster shifted its phishing operation to **telecommunications companies in Kyrgyzstan and Tajikistan**, extending a multi-month campaign that matters be...
UnsolicitedBooker Central Asian telecom phishing campaign
CampaignAbout this happening: The **UnsolicitedBooker** cluster shifted its phishing operation to **telecommunications companies in Kyrgyzstan and Tajikistan**, extending a multi-month campaign that matters be...
MuddyWater Operation Olalampo campaign targeting MENA organizations and individuals
Campaign
H score33
First: 23.02.2026 09:25
Last: 23.02.2026 09:25
Sources 1
How related:
The Iranian hacking group known as MuddyWater (aka Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has targeted several organizations and individuals mainly located across the Middle East and North Africa (MENA) region as part of a new campaign codenamed Operation Olalampo.
About this happening:
The **MuddyWater** campaign **Operation Olalampo** is actively targeting organizations and individuals across **MENA**, creating ongoing risk of remote compromise and follow-on in...
MuddyWater Operation Olalampo campaign targeting MENA organizations and individuals
CampaignHow related: The Iranian hacking group known as MuddyWater (aka Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has targeted several organizations and individuals mainly located across the Middle East and North Africa (MENA) region as part of a new campaign codenamed Operation Olalampo.
About this happening: The **MuddyWater** campaign **Operation Olalampo** is actively targeting organizations and individuals across **MENA**, creating ongoing risk of remote compromise and follow-on in...
Infy (aka Prince of Persia) renewed C2 campaign after Iran blackout
Campaign
H score17
First: 05.02.2026 12:25
Last: 05.02.2026 12:25
Sources 1
About this happening:
**Infy (aka Prince of Persia)**, an **Iranian APT**, is still running a covert campaign across **Iran, Iraq, Turkey, India, Canada, and Europe** using updated **Foudre v34** and *...
Infy (aka Prince of Persia) renewed C2 campaign after Iran blackout
CampaignAbout this happening: **Infy (aka Prince of Persia)**, an **Iranian APT**, is still running a covert campaign across **Iran, Iraq, Turkey, India, Canada, and Europe** using updated **Foudre v34** and *...
Timeline
-
23.02.2026 09:25 1 articles · 4mo ago
MuddyWater targets MENA organizations in Operation Olalampo
Campaign Scope UpdateMuddyWater targeted organizations and individuals mainly in the Middle East and North Africa (MENA) region as part of Operation Olalampo, using phishing emails with malicious Microsoft Office documents and macro-enabled payloads to deliver GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor.
Show sources
- MuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIP — thehackernews.com — 23.02.2026 09:25
-
23.02.2026 09:25 2 articles · 4mo ago
Group-IB analyzes GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor
Technical Analysis UpdateGroup-IB published analysis of the operation and described GhostFetch as a first-stage downloader that profiles host systems and executes secondary payloads in memory, GhostBackDoor as a second-stage backdoor with interactive shell and file read/write functions, HTTP_VIP as a downloader that authenticates to codefusiontech[.]org to deploy AnyDesk, and CHAR as a Rust backdoor controlled by the Telegram bot stager_51_bot; the analysis also noted AI-assisted development indicators, similarity to BlackBeard (aka Archer RAT and RUSTRIC), and use of recently disclosed vulnerabilities on public-facing servers for initial access.
Show sources
- MuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIP — thehackernews.com — 23.02.2026 09:25
- MuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIP — thehackernews.com — 23.02.2026 09:25