MuddyWater GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor malware activity
Malware Activity
Summary
Hide ▲
Show ▼
MuddyWater's new malware toolkit now includes GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor, extending multi-stage delivery and remote-control capability against targeted systems. The activity was first observed on January 26, 2026 and focused on organizations and individuals in MENA. One infection path used phishing emails with malicious Office documents to drop payloads through macros, while another deployed AnyDesk. The tooling adds reconnaissance, shell access, file transfer, and data collection functions that increase operational reach.
Related Happenings
MuddyWater broad cyber-espionage campaign across sectors and countries
Campaign
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
**MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MuddyWater broad cyber-espionage campaign across sectors and countries
CampaignAbout this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
UnsolicitedBooker Central Asian telecom phishing campaign
Campaign
First: 24.02.2026 11:54
Last: 24.02.2026 11:54
Sources 1
About this happening:
The **UnsolicitedBooker** cluster shifted its phishing operation to **telecommunications companies in Kyrgyzstan and Tajikistan**, extending a multi-month campaign that matters be...
UnsolicitedBooker Central Asian telecom phishing campaign
CampaignAbout this happening: The **UnsolicitedBooker** cluster shifted its phishing operation to **telecommunications companies in Kyrgyzstan and Tajikistan**, extending a multi-month campaign that matters be...
MuddyWater Operation Olalampo campaign targeting MENA organizations and individuals
Campaign
First: 23.02.2026 09:25
Last: 23.02.2026 09:25
Sources 1
How related:
The Iranian hacking group known as MuddyWater (aka Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has targeted several organizations and individuals mainly located across the Middle East and North Africa (MENA) region as part of a new campaign codenamed Operation Olalampo.
About this happening:
The **MuddyWater** campaign **Operation Olalampo** is actively targeting organizations and individuals across **MENA**, creating ongoing risk of remote compromise and follow-on in...
MuddyWater Operation Olalampo campaign targeting MENA organizations and individuals
CampaignHow related: The Iranian hacking group known as MuddyWater (aka Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has targeted several organizations and individuals mainly located across the Middle East and North Africa (MENA) region as part of a new campaign codenamed Operation Olalampo.
About this happening: The **MuddyWater** campaign **Operation Olalampo** is actively targeting organizations and individuals across **MENA**, creating ongoing risk of remote compromise and follow-on in...
Infy (aka Prince of Persia) renewed C2 campaign after Iran blackout
Campaign
First: 05.02.2026 12:25
Last: 05.02.2026 12:25
Sources 1
About this happening:
**Infy (aka Prince of Persia)**, an **Iranian APT**, is still running a covert campaign across **Iran, Iraq, Turkey, India, Canada, and Europe** using updated **Foudre v34** and *...
Infy (aka Prince of Persia) renewed C2 campaign after Iran blackout
CampaignAbout this happening: **Infy (aka Prince of Persia)**, an **Iranian APT**, is still running a covert campaign across **Iran, Iraq, Turkey, India, Canada, and Europe** using updated **Foudre v34** and *...
Fancy Bear (APT28) Microsoft Office exploitation campaign targeting Ukrainian and EU organizations
Campaign
First: 02.02.2026 14:45
Last: 02.02.2026 14:45
Sources 1
About this happening:
**Fancy Bear (APT28)** is linked to an **active espionage campaign** that used a **custom Covenant** implant and **BeardShell** against **Ukrainian targets** since **April 2024**....
Fancy Bear (APT28) Microsoft Office exploitation campaign targeting Ukrainian and EU organizations
CampaignAbout this happening: **Fancy Bear (APT28)** is linked to an **active espionage campaign** that used a **custom Covenant** implant and **BeardShell** against **Ukrainian targets** since **April 2024**....
Latest development: 10.03.2026 12:00
ESET says APT28 has used a custom variant of Covenant together with BeardShell since April 2024 against Ukrainian targets, including Ukrainian military personnel and central executive bodies of Ukraine, with recent attacks exploiting CVE-2026-21509 in Microsoft Office via malicious DOC files. Covenant is the primary implant and BeardShell is the fallback, while Icedrive, Filen, Koofr, and pCloud are used for C2 infrastructure.
Timeline
-
23.02.2026 09:25 1 articles · 3mo ago
MuddyWater targets MENA organizations in Operation Olalampo
Campaign Scope UpdateMuddyWater targeted organizations and individuals mainly in the Middle East and North Africa (MENA) region as part of Operation Olalampo, using phishing emails with malicious Microsoft Office documents and macro-enabled payloads to deliver GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor.
Show sources
- MuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIP — thehackernews.com — 23.02.2026 09:25
-
23.02.2026 09:25 2 articles · 3mo ago
Group-IB analyzes GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor
Technical Analysis UpdateGroup-IB published analysis of the operation and described GhostFetch as a first-stage downloader that profiles host systems and executes secondary payloads in memory, GhostBackDoor as a second-stage backdoor with interactive shell and file read/write functions, HTTP_VIP as a downloader that authenticates to codefusiontech[.]org to deploy AnyDesk, and CHAR as a Rust backdoor controlled by the Telegram bot stager_51_bot; the analysis also noted AI-assisted development indicators, similarity to BlackBeard (aka Archer RAT and RUSTRIC), and use of recently disclosed vulnerabilities on public-facing servers for initial access.
Show sources
- MuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIP — thehackernews.com — 23.02.2026 09:25
- MuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIP — thehackernews.com — 23.02.2026 09:25