Operation Olalampo Exposed: MuddyWater Deploys GhostFetch and HTTP_VIP in MENA Espionage Surge

The cybersecurity landscape in the Middle East and North Africa (MENA) is facing a renewed and sophisticated threat. Security Arsenal analysts have been tracking a disturbing surge in activity attributed to the Iranian-aligned threat actor known as MuddyWater (also tracked as Earth Vetala, Mango Sandstorm, and MUDDYCOAST). Their latest campaign, codenamed Operation Olalampo, signals a significant evolution in their arsenal, moving beyond established tools to deploy previously unseen malware families including GhostFetch, CHAR, and HTTP_VIP.

First detected in late January 2026, this campaign demonstrates MuddyWater's continued focus on espionage and data theft within the region. The group is leveraging a complex attack chain designed to evade traditional defenses, making it imperative for organizations to upgrade their threat hunting capabilities immediately.

The Evolution of MuddyWater

MuddyWater has long been a persistent menace, utilizing "living-off-the-land" (LotL) techniques to blend in with normal administrative traffic. However, Operation Olalampo introduces custom-developed tools that suggest a shift toward more persistent and harder-to-detect mechanisms.

While the group historically relied heavily on PowerShell for initial execution, this campaign introduces GhostFetch, likely a reconnaissance tool designed to quietly harvest system data and credentials. Alongside it, HTTP_VIP appears to function as a sophisticated Command-and-Control (C2) channel, utilizing custom HTTP headers to obfuscate communications with attacker infrastructure. The third component, CHAR, is currently under analysis but is suspected to be involved in data staging or exfiltration.

Deep Dive: Attack Vectors and TTPs

The initial vector for Operation Olalampo follows a familiar yet effective pattern: spear-phishing. Attackers are distributing malicious documents, often disguised as legitimate official correspondence, tailored to specific regional industries. Once a user enables macros or clicks embedded links, the infection chain begins.

Key TTPs Observed:

1. Macro-Based Droppers: The payloads use VBA macros to invoke PowerShell, a hallmark of MuddyWater operations.
2. Process Injection: The malware injects malicious code into legitimate system processes (often rundll32.exe or mshta.exe) to bypass firewall rules that restrict new executable creation.
3. C2 Obfuscation: The HTTP_VIP module communicates using specific User-Agent strings and cookie values that mimic standard web traffic, allowing it to pass through perimeter proxies undetected.
4. Anti-Analysis: The new families include sandbox evasion techniques, checking for virtualization artifacts before deploying the full payload.

Detection and Threat Hunting

To combat Operation Olalampo, SOC teams must move beyond signature-based detection. Below are specific queries and scripts designed to identify the anomalous behaviors associated with GhostFetch and HTTP_VIP.

KQL Queries (Microsoft Sentinel/Defender)

Hunt for suspicious PowerShell activity that includes encoded commands, often used to drop the initial payload.

DeviceProcessEvents
| where Timestamp >= ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "-enc" or ProcessCommandLine has "-encodedcommand"
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
| extend HuntName = "MuddyWater_Encoded_PS"

Detect processes making network connections with suspicious characteristics indicative of HTTP_VIP C2 beacons.

DeviceNetworkEvents
| where Timestamp >= ago(24h)
| where InitiatingProcessFileName in~ ("powershell.exe", "rundll32.exe", "mshta.exe")
| where RemotePort == 80 or RemotePort == 443
| where NetworkProtocol in~ ("http", "https")
| parse RemoteUrl with * "(" Protocol ":" ")" * // Basic parsing to isolate protocol if embedded
| where isnotempty(AdditionalFields)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| summarize count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where count_ > 5
| extend HuntName = "MuddyWater_HTTP_VIP_Beacon"

PowerShell Hunting Script

Run this script on endpoints to check for the presence of suspicious persistence mechanisms often used by this group.

# Hunting for MuddyWater Persistence Mechanisms
$SuspiciousPaths = @(
    "$env:APPDATA\Microsoft\Windows\Templates",
    "$env:PUBLIC\Documents",
    "$env:TEMP\System32"
)

$SuspiciousProcesses = @("powershell", "rundll32")

# Check for recent scheduled tasks created by suspicious parents
Get-ScheduledTask | Where-Object {
    $_.State -eq 'Ready' -and 
    $_.Author -notmatch "Microsoft|Microsoft Corporation" -and 
    $_.Date -gt (Get-Date).AddDays(-30)
} | Select-Object TaskName, Author, Date, Actions

# Check for specific registry run keys
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run", 
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue | 
Where-Object { $_.PSObject.Properties.Value -match "powershell" -and $_.PSObject.Properties.Name -notmatch "OneDrive" }

Bash Script (Linux Environments)

MuddyWater has targeted Linux servers in the past. Use this to scan for recent modifications to cron jobs or web shells.

#!/bin/bash
# Check for recently modified cron files
echo "Checking for suspicious cron activity..."
find /etc/cron.* /var/spool/cron/crontabs -type f -mtime -7 -ls

# Check for Python scripts acting as reverse shells (common in newer campaigns)
echo "Checking for suspicious python network processes..."
ps aux | grep python | grep -v grep | awk '{print $2}' | while read pid; do
    ls -l /proc/$pid/cwd 2>/dev/null
done

Mitigation Strategies

Defending against MuddyWater requires a defense-in-depth approach. We recommend the following immediate actions:

1. Strict Macro Policies: Disable macros from the internet entirely via Group Policy. If macros are necessary for business operations, they should be digitally signed.
2. Network Segmentation: Restrict lateral movement. Critical servers should not be reachable from user workstations where phishing emails are opened.
3. Egress Filtering: Implement strict firewall rules to limit outbound traffic to known necessary IP addresses and domains. Monitor closely for traffic to non-standard ports over HTTP/HTTPS.
4. Script Block Logging: Ensure PowerShell Script Block Logging is enabled across the enterprise. This is the single most effective telemetry source for catching these attacks.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub