⚠️ New Cyber Espionage Operation Targets Organizations Across MENA
Security analysts have uncovered a fresh wave of cyberattacks attributed to the Iran-aligned hacking group commonly tracked as MuddyWater. The campaign, dubbed Operation Olalampo, is primarily focused on organizations and individuals across the Middle East and North Africa.
First detected in late January 2026, the operation introduces updated malware tools while maintaining tactics the group has used in previous espionage campaigns. Researchers say the activity demonstrates continued investment in custom tooling, stealth techniques, and infrastructure designed for long-term access.
📧 Phishing Emails Remain the Entry Point
The attacks typically begin with carefully crafted phishing messages carrying malicious Microsoft Office attachments. Once opened, victims are prompted to enable macros, which triggers hidden code that installs malware and grants attackers remote access.
Different lures are used depending on the target. Some messages appear as travel documents or reports, while others impersonate regional companies to appear legitimate and trustworthy.
🧬 Multiple Malware Tools Deployed in Stages
Rather than relying on a single payload, the attackers deploy a chain of tools that work together to infiltrate systems and maintain persistence.
Key components identified include:
🔻 Initial Downloaders
Early-stage malware gathers system details, checks for security tools or virtual environments, and retrieves additional payloads from remote servers.
🕳️ Backdoor Implants
Secondary malware allows attackers to control the infected device, execute commands, and transfer files. These implants can also reinfect the system if initial components are removed.
🌐 Remote Access Deployment
In some cases, the operation installs legitimate remote desktop software to maintain covert access, blending malicious activity with normal administrative tools.
🤖 Telegram-Controlled Backdoor
One variant communicates through a messaging platform bot to receive instructions, enabling attackers to run commands, change directories, or deploy additional tools.
🕵️ Data Theft and Network Control Capabilities
Once inside a system, the malware can perform extensive surveillance and data collection, including:
- Gathering system information
- Uploading or downloading files
- Capturing clipboard data
- Executing shell commands remotely
- Deploying proxy tools to hide attacker traffic
- Extracting browser data and credentials
Some payloads also appear capable of launching additional malware components, expanding the attacker’s control over the environment.
🧠 Evidence of AI-Assisted Malware Development
Researchers found indicators suggesting that parts of the code may have been created or refined using generative AI tools. This aligns with broader trends showing threat actors increasingly experimenting with AI to accelerate malware development and customization.
The malware also shares similarities with previously documented tools linked to the same group, indicating ongoing evolution rather than a completely new toolkit.
🛠️ Exploiting Vulnerabilities for Initial Access
In addition to phishing, the attackers have been observed targeting exposed servers with known security flaws. Exploiting these weaknesses allows them to enter networks without user interaction, increasing the campaign’s reach.
🌍 Persistent Threat in the Region
Experts warn that MuddyWater remains a significant cyber threat across the Middle East, Turkey, and parts of Africa. The group’s strategy focuses on sustained intelligence gathering rather than immediate disruption, suggesting long-term objectives.
Their continued use of custom malware, varied command-and-control channels, and emerging technologies highlights a sophisticated and adaptable operation.
🧭 Final Takeaway
Operation Olalampo underscores how state-linked threat actors continue to refine traditional techniques such as phishing while incorporating newer tools and automation. Organizations in targeted regions should remain vigilant, especially against suspicious email attachments and unpatched systems.
Strengthening email security, enforcing macro restrictions, and maintaining timely patching practices can significantly reduce exposure to these types of campaigns.