Operation Olalampo: Inside MuddyWater’s Latest Campaign

Operation Olalampo — attributed with high confidence to the Iranian-linked APT MuddyWater — is a targeted espionage campaign (first observed 26 Jan 2026) using malicious Office documents and exploited public-facing servers to deliver multiple custom tools (GhostFetch, HTTP_VIP, GhostBackDoor, and the Rust backdoor CHAR). The operation leverages diverse C2 infrastructure (domains, Cloudflare-protected hosts, and a Telegram bot), shows evidence of infrastructure reuse and rapid tool development (including signs of AI-assisted code), includes detailed IOCs and post-exploitation activity, and provides actionable detection and mitigation guidance.