{"id":60,"date":"2026-02-26T13:09:26","date_gmt":"2026-02-26T13:09:26","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=60"},"modified":"2026-02-26T13:09:26","modified_gmt":"2026-02-26T13:09:26","slug":"muddywater-targets-mena-organizations-with-ghostfetch-char-and-http_vip","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=60","title":{"rendered":"MuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIP"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Feb 23, 2026<\/span><\/span><span class=\"p-tags\">Threat Intelligence \/ Artificial Intelligence<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgk6M5M47ZmJ-KuhYC2JC8UwHjdNPLoS3oSeT38cnI8sCmd9NbNFmjNh8qCUXxC7XexLVdUBTBsEIELNLfj2nM-LTRKJajmvwbdehC_bNch-kE98Py-CaDoSAZHCxQztFszsWePupECSqKuasUv8lu9IXYhg8qAS2V7ojLqicNp_HRnyhnc74n_vWYHeEQ-\/s1700-e365\/muddy.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>The Iranian hacking group known as MuddyWater (aka Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has targeted several organizations and individuals mainly located across the Middle East and North Africa (MENA) region as part of a new campaign codenamed <strong>Operation Olalampo<\/strong>.<\/p>\n<p>The activity, first observed on January 26, 2026, has resulted in the deployment of new malware families that share overlapping samples previously identified as used by the threat actor, according to a report published by Group-IB. These include downloaders like GhostFetch and HTTP_VIP, along with a Rust backdoor called CHAR and an advanced implant codenamed GhostBackDoor that&#8217;s dropped by GhostFetch.<\/p>\n<p>\u00abThese attacks follow similar patterns and align with the killchains previously observed in MuddyWater attacks; starting with a phishing email with a Microsoft Office document attached to it that contains malicious macro code that decodes the embedded payload and drops it on the system and executes it, providing the adversary with remote control of the system,\u00bb the company <a href=\"https:\/\/www.group-ib.com\/blog\/muddywater-operation-olalampo\/\" rel=\"noopener\" target=\"_blank\">said<\/a>.<\/p>\n<p>One such attack chain employing a malicious Microsoft Excel document prompts users to enable macros in order to activate the infection and ultimately drop CHAR. Another variant of the same attack has been found to lead to the deployment of the GhostFetch downloader, which then downloads GhostBackDoor.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/sse-customer-awards-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg5Ij_-TeqFMEsRFzgRRFzSRlVK6oHCncN_eJ2fkOdsA_1tN9HQbAlEEife2Z2JUt1lPv4st5n9KZP84jGEYY9Up6BQ7QE-N5rs6OhzL5thxGzVxnMx3JH9cGRLi9S5Kl-iV5PgjBeTdkBLnv_inF8UUAo88iqdmgJuPIc_6qiPyUMXwFyZWbZvkZkcRXSw\/s728-e100\/gartner-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>A third version of the attack leverages themes such as flight tickets and reports, in contrast to using lures mimicking an energy and marine services company in the Middle East, to distribute the HTTP_VIP downloader that subsequently deploys the AnyDesk remote desktop software.<\/p>\n<p><a name=\"more\"\/><\/p>\n<p>A brief description of the four tools is as follows &#8211;<\/p>\n<ul>\n<li><strong>GhostFetch<\/strong>, a first-stage downloader that profiles the system, validates mouse movements and checks screen resolution, checks for the presence of debuggers, virtual machine artifacts, and antivirus software, and fetches and executes secondary payloads directly in memory.<\/li>\n<li><strong>GhostBackDoor<\/strong>, a second-stage backdoor delivered by GhostFetch that supports an interactive shell, file read\/write, and re-run GhostFetch.<\/li>\n<li><strong>HTTP_VIP<\/strong>, a native downloader that conducts system reconnaissance, connects to an external server (\u00abcodefusiontech[.]org\u00bb) to authenticate and deploy AnyDesk from the C2 server. A new variant of the malware also adds the ability to retrieve victim information and retrieve instructions to start an interactive shell, download\/upload files, capture clipboard contents, and update the sleep\/beaconing interval.<\/li>\n<li><strong>CHAR<\/strong>, a Rust backdoor that&#8217;s controlled by a Telegram bot (whose first name is \u00abOlalampo\u00bb and username is \u00abstager_51_bot\u00bb) to change directory and execute a cmd.exe or PowerShell command.<\/li>\n<\/ul>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi9codiElaXflP03LdRbTq-nazzyJg9afA33hoJJJYw6SEgccvJ3Mb801nozDT8dzpn6WnkEWlnTvHH5ZNGPIIvLsX32d2lga5MUukWPeZ3MQl2_gJdF5a7shBN1c1YUp-clQD-JvVck2t8az-B0JimfGW5BvZZQPkydZoW2thBVF9Su75pVtwGCNU_cvHy\/s1700-e365\/killchain.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi9codiElaXflP03LdRbTq-nazzyJg9afA33hoJJJYw6SEgccvJ3Mb801nozDT8dzpn6WnkEWlnTvHH5ZNGPIIvLsX32d2lga5MUukWPeZ3MQl2_gJdF5a7shBN1c1YUp-clQD-JvVck2t8az-B0JimfGW5BvZZQPkydZoW2thBVF9Su75pVtwGCNU_cvHy\/s1700-e365\/killchain.jpg\" alt=\"\" border=\"0\" data-original-height=\"1550\" data-original-width=\"1680\"\/><\/a><\/div>\n<p>The PowerShell command is designed to execute a SOCKS5 reverse proxy or another backdoor named Kalim, upload data stolen from web browsers, and run unknown executables referred to as \u00absh.exe\u00bb and \u00abgshdoc_release_X64_GUI.exe.\u00bb<\/p>\n<p>Group-IB&#8217;s analysis of CHAR&#8217;s source code has revealed signs of artificial intelligence (AI)-assisted development owing to the presence of emojis in debug strings, a finding that&#8217;s consistent with Google&#8217;s revelations last year that the threat actor is experimenting with generative AI tools to facilitate the development of custom malware to support file transfer and remote execution.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ztw-hands-on-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhC66R4wPZ8qksTJukqlCCmrHCUX65DnpWW1nKnkOhy0Poe219tacbU6h09qEfUgRHxoObBazf3SVJ4OAd_iVd0EFecj-vskZSfroQ7rh0XyxQd6Ep_zNgqDW95YU4zG1Gpin8rHPK8Rqu_1KV7tf-G-7JJhxOVHhRJDWnj0qfq82uZSAvAG2rxK-Fe5fwd\/s728-e100\/ThreatLocker-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Another notable aspect is that CHAR shares a similar structure and development environment as the Rust-based malware BlackBeard (aka Archer RAT and RUSTRIC), which was flagged by CloudSEK and Seqrite Labs as put to use by the threat actor to target various entities in the Middle East.<\/p>\n<p>MuddyWater has also been observed exploiting recently disclosed vulnerabilities on public-facing servers as a way to obtain initial access to target networks.<\/p>\n<p>\u00abThe MuddyWater APT group remains an active threat within the META [Middle East, Turkey, and Africa] region, with this operation primarily targeting organizations in the MENA region,\u00bb Group-IB concluded. \u00abThe group&#8217;s continued adoption of AI technology, combined with continued development of custom malware and tooling and diversified command-and-control (C2) infrastructures, underscores their dedication and intent to expand their operations.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Feb 23, 2026Threat Intelligence \/ Artificial Intelligence The Iranian hacking group known as MuddyWater (aka Earth Vetala, Mango Sandstorm, and MUDDYCOAST) has targeted several organizations and individuals mainly located&hellip;<\/p>\n","protected":false},"author":1,"featured_media":61,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[164,163,165,161,160,162,78],"class_list":["post-60","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-char","tag-ghostfetch","tag-http_vip","tag-mena","tag-muddywater","tag-organizations","tag-targets"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/60","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=60"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/60\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/61"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=60"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=60"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=60"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}