Operation Olalampo: Inside MuddyWater’s Latest Campaign

    Date: 02/23/2026

    Severity: High

    Summary

    Operation Olalampo is a 2026 cyber campaign attributed with high confidence to the Iranian APT group MuddyWater, targeting organizations and individuals primarily across the MENA region. The operation deployed new malware variants that maintain technical overlap with the group’s historical tooling, including one strain that used a Telegram bot for command-and-control (C2). Analysis of the bot infrastructure provided visibility into post-exploitation activity—such as executed commands, deployed tools, and data collection—while revealing infrastructure reuse from late 2025, underscoring continuity in MuddyWater’s established tradecraft.

    Indicators of Compromise (IOC) List

    URLs/Domains

    codefusiontech.org

    Promoverse.org

    miniquest.org

    jerusalemsolutions.com

    IP Address

    162.0.230.185

    209.74.87.100

    143.198.5.41

    209.74.87.67

    Hash

    f4e0f4449dc50e33e912403082e093dd8e4bc55d

    3441306816018d08dd03a97ac306fac0200e9152

    9ca11fcbd75420bd7a578e8bf6ef855e7bd0fb8e

    06f3b55f0d66913cd53d2f0e76a5e2d67ff8ed04

    7bd04218276fc8f375c0ce3be43a710f6a2b4d09

    2f5166086da5a57d7e59a767a54ed6fe9a6db444

    8c592d9ab58264e68dfe029ea90f80862c526670

    f779a3b1dcc0c3aacacf7ebfa4ed57d53af7e26c

    2993b0ab9786ddc29eb9cf1ace4a28c6e34ea4fb

    e3cc95ca6e271ddf04cd88c85051b2cc9ce04e8e

    270dbaedfbeef9333e0780f3c4e74c01392ce381

    d3fa50a9eba93a7fbc79e7ad0c4889d762718a5f

    392a36717fa948f7e00d35711e8598108fbe2f72

    62ed16701a14ce26314f2436d9532fe606c15407

    ceb9b7dfb8a36ee8fe223063a6e3f730f2dcefd1

    88cb6169fd7dd21e6d6aa3a8df0a78938e698028

    d0d7d0c816753639b5c577aacf14fd2e994b64b0

    b55e063607e8f56c9b398b289ba04ddca11398fe

    5c1500296857ed0b0bb7230a1cb17993d25ab69b

    f449b95830c584cef72dfb60fb78ee3d6c69ecb4

    3c47eab6ebe5b48097c0099ff18f2a8bc13c12f7

    324918c73b985875d5f974da3471f2a0a4874687

    e21564fd0fc3103c1d18b1e1525a0b40e9077d40

    feb4318a90057d92ea5ab6420ed6164dd9605013

    0365daf83e37d2c6daaae6c28b4c8343288ef2f9

    777040bed9d26f5da97e8977c6efc0586beae064

    f5a129ba4141361ca266950dc4adcb2c548aa949

    f77499a8fc6e615e21bf111a88c658ba3d5f0f81

    dc785be0c4430bfc5b507255f892bf30134a02b6

    e79ccc3f6517c911d6c1df79c94e88896f574e64

    2eea39dbe11889e5713cbca020f7ede653bc48ec

    975c763e050d0a9a46f0aafdde66d3e7f0626c5b

    d97d21536c061e7a7151a453242d36f3ab196a14

    56380a652471962387693f4bcc893fd21f0fc324

    9defffba933fc44f8e3b6e25b31508bc17d29077

    efb18cf7cf227037e034c0b525f502e642815f94

    0588cf26b6e9210f86a266ac0366af1fd29f135c

    80cea18e19665c5a57e7b9ca0bf36aad06096e93

    7d3757d5165e2e95b0b89e33316025a4b9301e2d

    ac982b7b46e085e0bb51cba2edb61bff5910b6a8

    8632b62fa14fd679fa97cfe50e6c25696b846129

    ea80deaed00c8b71aa0033b00fe0ef5b63840b99

    92e2f826804d762679b13283102f3560078eb4cb

    aee523056d602571ff006565b432148715a6a13d098d518ba8131ccbe719c043

    3a19c19d9f3bac6628a968110477ee01e5867b2534e914e1be5c4485947bd819

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "Promoverse.org" or siteurl like "Promoverse.org" or url like "Promoverse.org" or domainname like "miniquest.org" or siteurl like "miniquest.org" or url like "miniquest.org" or domainname like "jerusalemsolutions.com" or siteurl like "jerusalemsolutions.com" or url like "jerusalemsolutions.com" or domainname like "codefusiontech.org" or siteurl like "codefusiontech.org" or url like "codefusiontech.org"

    Detection Query 2 :

    dstipaddress IN ("143.198.5.41","209.74.87.100","162.0.230.185","209.74.87.67") or srcipaddress IN ("143.198.5.41","209.74.87.100","162.0.230.185","209.74.87.67")

    Detection Query 3 :

    sha1hash IN ("777040bed9d26f5da97e8977c6efc0586beae064","f5a129ba4141361ca266950dc4adcb2c548aa949","62ed16701a14ce26314f2436d9532fe606c15407","5c1500296857ed0b0bb7230a1cb17993d25ab69b","80cea18e19665c5a57e7b9ca0bf36aad06096e93","d97d21536c061e7a7151a453242d36f3ab196a14","f77499a8fc6e615e21bf111a88c658ba3d5f0f81","ac982b7b46e085e0bb51cba2edb61bff5910b6a8","feb4318a90057d92ea5ab6420ed6164dd9605013","e21564fd0fc3103c1d18b1e1525a0b40e9077d40","2993b0ab9786ddc29eb9cf1ace4a28c6e34ea4fb","ceb9b7dfb8a36ee8fe223063a6e3f730f2dcefd1","88cb6169fd7dd21e6d6aa3a8df0a78938e698028","0365daf83e37d2c6daaae6c28b4c8343288ef2f9","9defffba933fc44f8e3b6e25b31508bc17d29077","92e2f826804d762679b13283102f3560078eb4cb","ea80deaed00c8b71aa0033b00fe0ef5b63840b99","2eea39dbe11889e5713cbca020f7ede653bc48ec","975c763e050d0a9a46f0aafdde66d3e7f0626c5b","56380a652471962387693f4bcc893fd21f0fc324","efb18cf7cf227037e034c0b525f502e642815f94","e3cc95ca6e271ddf04cd88c85051b2cc9ce04e8e","dc785be0c4430bfc5b507255f892bf30134a02b6","0588cf26b6e9210f86a266ac0366af1fd29f135c","8632b62fa14fd679fa97cfe50e6c25696b846129","7d3757d5165e2e95b0b89e33316025a4b9301e2d","e79ccc3f6517c911d6c1df79c94e88896f574e64","3441306816018d08dd03a97ac306fac0200e9152","b55e063607e8f56c9b398b289ba04ddca11398fe","2f5166086da5a57d7e59a767a54ed6fe9a6db444","f4e0f4449dc50e33e912403082e093dd8e4bc55d","9ca11fcbd75420bd7a578e8bf6ef855e7bd0fb8e","06f3b55f0d66913cd53d2f0e76a5e2d67ff8ed04","7bd04218276fc8f375c0ce3be43a710f6a2b4d09","8c592d9ab58264e68dfe029ea90f80862c526670","f779a3b1dcc0c3aacacf7ebfa4ed57d53af7e26c","270dbaedfbeef9333e0780f3c4e74c01392ce381","d3fa50a9eba93a7fbc79e7ad0c4889d762718a5f","392a36717fa948f7e00d35711e8598108fbe2f72","d0d7d0c816753639b5c577aacf14fd2e994b64b0","f449b95830c584cef72dfb60fb78ee3d6c69ecb4","3c47eab6ebe5b48097c0099ff18f2a8bc13c12f7","324918c73b985875d5f974da3471f2a0a4874687")

    Detection Query 4 :

    sha256hash IN ("aee523056d602571ff006565b432148715a6a13d098d518ba8131ccbe719c043","3a19c19d9f3bac6628a968110477ee01e5867b2534e914e1be5c4485947bd819")

    Reference: 

    https://www.group-ib.com/blog/muddywater-operation-olalampo/


    Tags

    MalwareThreat ActorAPTIranMuddyWaterTelegram

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags