Find notable cyber news and cases, enriched with sources, timelines, and signals.

MuddyWater GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor malware activity

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

MuddyWater's new malware toolkit now includes GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor, extending multi-stage delivery and remote-control capability against targeted systems. The activity was first observed on January 26, 2026 and focused on organizations and individuals in MENA. One infection path used phishing emails with malicious Office documents to drop payloads through macros, while another deployed AnyDesk. The tooling adds reconnaissance, shell access, file transfer, and data collection functions that increase operational reach.

Related Happenings

Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel

Malware Activity
H score49 First: 02.06.2026 21:21 Last: 02.06.2026 21:21 Sources 1

About this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....

Latest development: 09.06.2026 15:26

Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.

MuddyWater broad cyber-espionage campaign across sectors and countries

Campaign
H score37 First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...

UnsolicitedBooker Central Asian telecom phishing campaign

Campaign
H score31 First: 24.02.2026 11:54 Last: 24.02.2026 11:54 Sources 1

About this happening: The **UnsolicitedBooker** cluster shifted its phishing operation to **telecommunications companies in Kyrgyzstan and Tajikistan**, extending a multi-month campaign that matters be...

MuddyWater Operation Olalampo campaign targeting MENA organizations and individuals

Campaign
H score33 First: 23.02.2026 09:25 Last: 23.02.2026 09:25 Sources 1

How related: The Iranian hacking group known as MuddyWater (aka Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has targeted several organizations and individuals mainly located across the Middle East and North Africa (MENA) region as part of a new campaign codenamed Operation Olalampo.

About this happening: The **MuddyWater** campaign **Operation Olalampo** is actively targeting organizations and individuals across **MENA**, creating ongoing risk of remote compromise and follow-on in...

Infy (aka Prince of Persia) renewed C2 campaign after Iran blackout

Campaign
H score17 First: 05.02.2026 12:25 Last: 05.02.2026 12:25 Sources 1

About this happening: **Infy (aka Prince of Persia)**, an **Iranian APT**, is still running a covert campaign across **Iran, Iraq, Turkey, India, Canada, and Europe** using updated **Foudre v34** and *...

Timeline

  1. 23.02.2026 09:25 1 articles · 4mo ago

    MuddyWater targets MENA organizations in Operation Olalampo

    Campaign Scope Update

    MuddyWater targeted organizations and individuals mainly in the Middle East and North Africa (MENA) region as part of Operation Olalampo, using phishing emails with malicious Microsoft Office documents and macro-enabled payloads to deliver GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor.

    Show sources
  2. 23.02.2026 09:25 2 articles · 4mo ago

    Group-IB analyzes GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor

    Technical Analysis Update

    Group-IB published analysis of the operation and described GhostFetch as a first-stage downloader that profiles host systems and executes secondary payloads in memory, GhostBackDoor as a second-stage backdoor with interactive shell and file read/write functions, HTTP_VIP as a downloader that authenticates to codefusiontech[.]org to deploy AnyDesk, and CHAR as a Rust backdoor controlled by the Telegram bot stager_51_bot; the analysis also noted AI-assisted development indicators, similarity to BlackBeard (aka Archer RAT and RUSTRIC), and use of recently disclosed vulnerabilities on public-facing servers for initial access.

    Show sources