Iran's MuddyWater Targets Orgs With Fresh Malware as Tensions Mount - Dark Reading

THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES ENDPOINT SECURITY REMOTE WORKFORCE NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Iran's MuddyWater Targets Orgs With Fresh Malware as Tensions Mount The long-active Iranian threat group debuted various attack strains and payloads in attacks against organizations in the Middle East and Africa. Elizabeth Montalbano,Contributing Writer February 23, 2026 4 Min Read SOURCE: ROIBU VIA ALAMY STOCK PHOTO As the US prepares for a possible military strike against Iran, the nation-state threat group MuddyWater is wasting no time ramping up its cyber offensive against organizations in the Middle East and Africa region with an emerging attack campaign delivering several new strains of custom malware. The campaign, dubbed Operation Olalampo, starts with the group's typical entry tactic — spear-phishing emails — and ends with the deployment of one of several strains of never-before-seen second-stage loader and backdoor malware, according to a report by Group-IB published Friday.  Olalampo "targeted multiple organizations and individuals primarily across the MENA region, aligning with the ongoing geopolitical tensions," according to the blog post. There also is evidence that MuddyWater, which is tied to Iran's Ministry of Intelligence and Security (MOIS), deviated from its typical entry tactic and also tried to exploit flaws in public-facing servers as part of the activity, which the researchers first discovered on Jan. 26. Related:INC Ransomware Group Holds Healthcare Hostage in Oceania One of the new malware strains, the Char backdoor, used a Telegram bot as a command-and-control (C2) channel, which gave researchers "valuable insight into MuddyWater’s post-exploitation activity," according to the report. This insight showed that the infrastructure in the campaign was reused, one of the hallmarks of MuddyWater that contributed to the researchers identifying the perpetrator. Moreover, as is the case with a number of recent threat campaigns, Olalampo showed signs of artificial intelligence (AI)-assisted development in the malware, demonstrating that this is likely to be the norm and not the exception going forward, according to Group-IB. Delivery of AI-Developed Malware Attacks in the campaign started typically for MuddyWater — with a targeted spear-phishing email, this time employing one of various Microsoft documents with malicious macros that decode the payload, drop it into a system, and execute it. Ultimately, the malware dropped by the campaign gave MuddyWater control of the victim's system.  The advanced persistent threat (APT) group used three attack-sequence variations against different targets. The first was a malicious Microsoft Excel document mimicking an energy and marine services company in the Middle East, likely targeting either contractors of the organization or the organization itself.  That attack sequence ultimately led to the deployment of the Char backdoor, a RUST-based backdoor controlled by a Telegram bot, according to Group-IB. The use of Telegram in this way by the group signifies a tactical shift for MuddyWater, according to researchers. Related:Chinese Cyber Threat Lurks In Critical Asian Sectors for Years Char also showed signs of AI-enhanced development in one of its command handlers, with the identification of "debug strings containing emojis — a trait rarely seen in human-authored code," according to the report.  "We observed four instances of this anomaly, suggesting that the adversary likely used an AI model to generate specific code segments and failed to sanitize the debug strings before compilation; this can also be seen in the command-and-control logs from the Telegram bot," according to Group-IB. Other MuddyWater Attack Variants Another attack variant of Olalampo used a similar document lure to the previous one, but instead of dropping Char, it deployed the GhostFetch downloader. The loader subsequently downloaded the novel GhostBackDoor, an advanced backdoor that adapts its installation based on the environment's privileges. The third attack variant uses a Microsoft Word document employing multiple themes, such as flight tickets and reports, targeting "individuals of interest and system integrator companies in the Middle East," according to Group-IB. This variant leads to the deployment of a new customer downloader called HTTP_VIP, which then deploys Anydesk remote monitoring and management (RMM) to take over the targeted system. Related:LatAm Now Faces 2x More Cyberattacks Than US "The HTTP_VIP malware is a native downloader that serves as a bridge for further exploitation," according to the post. The malware has a "highly selective" execution flow that performs system reconnaissance, checks specifically for a hard-coded domain, and will terminate if the system belongs to one; and performs C2 authentication. MuddyWater Tightens Its Game MuddyWater — also known asTA450, Helix Kitten, Seedworm, and other names — is one of Iran's most active and notorious APTs, with roots that stretch as far back as 2017. In its latest attacks, it appears to be tightening its tactics, which used to be somewhat clumsy, despite its role as a longtime, prolific threat. Indeed, MuddyWater has been steadily evolving its activities since it first emerged. Late last year, the group demonstrated stealthier stagecraft that included the use of memory-only loaders, custom backdoors, and techniques designed for defense evasion and persistence. At the time, researchers from ESET said the upgrades marked a significant evolution in the group's capabilities and a departure from its historically noisier operational style. "The group's continued adoption of AI technology, combined with continued development of custom malware and tooling and diversified C2 infrastructures, underscores their dedication and intent to expand their operations," according to Group-IB. Defenders can strengthen their position against MuddyWater by using the indicators of compromise (IoCs), YARA rules, and EDR rules set out in Group-IB's report to monitor for group activity. The company also recommended that organizations enhance email and phishing defenses, implement endpoint and access controls, strengthen network and infrastructure security, and create strategic long-term defense measures to reduce risk of compromise.  Read more about: DR Global Middle East & Africa About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE Red Hat Hackers Team Up With Scattered Lapsus$ Hunters by Rob Wright OCT 08, 2025 THREAT INTELLIGENCE 45 New Domains Linked to Salt Typhoon, UNC4841 by Elizabeth Montalbano, Contributing Writer SEP 08, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE Chinese APTs Exploit EDR 'Visibility Gap' for Cyber Espionage by Becky Bracken, Senior Editor, Dark Reading APR 14, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE