MuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIP

Published: 3 days ago (February 23, 2026 at 02:25 AM EST)

4 min read

Source: The Hacker News

By Ravie Lakshmanan – Feb 23 2026 – Threat Intelligence / Artificial Intelligence

MuddyWater image

New Malware Families

According to a report from Group‑IB, the campaign deploys several new malware families that share code with previously‑identified MuddyWater samples:

GhostFetch – a first‑stage downloader that profiles the system, validates mouse movements, checks screen resolution, looks for debuggers, virtual‑machine artifacts, and antivirus software, then fetches and executes secondary payloads directly in memory.
GhostBackDoor – a second‑stage backdoor delivered by GhostFetch; it provides an interactive shell, file read/write capabilities, and can re‑run GhostFetch.
HTTP_VIP – a native downloader that performs system reconnaissance, contacts an external server (codefusiontech[.]org) for authentication, and deploys AnyDesk from the C2 server. A newer variant can also retrieve victim information, start an interactive shell, download/upload files, capture clipboard contents, and adjust the sleep/beaconing interval.
CHAR – a Rust backdoor controlled via a Telegram bot (first name “Olalampo”, username stager_51_bot) that can change directories and execute cmd.exe or PowerShell commands.

“These attacks follow similar patterns and align with the kill‑chains previously observed in MuddyWater operations: a phishing email with a Microsoft Office document containing a malicious macro that decodes the embedded payload, drops it on the system, and gives the adversary remote control,” – Group‑IB (source).

Typical Attack Chains

Malicious Excel document – prompts the user to enable macros, which drops the CHAR backdoor.
Variant with GhostFetch – the macro drops GhostFetch, which then downloads GhostBackDoor.
Phishing lure (flight tickets, reports, or energy/marine services company) – delivers the HTTP_VIP downloader, which installs AnyDesk for remote access.

Gartner diagram

A third version of the attack uses themes such as flight tickets and reports (instead of energy‑services lures) to distribute HTTP_VIP, which subsequently deploys AnyDesk.

Kill‑Chain Illustration

Kill‑chain diagram

The PowerShell command used in the final stage can:

Launch a SOCKS5 reverse proxy or another backdoor named Kalim.
Upload data stolen from web browsers.
Execute unknown binaries (sh.exe and gshdoc_release_X64_GUI.exe).

AI‑Assisted Development

Group‑IB’s analysis of CHAR’s source code revealed AI‑assisted development—debug strings contain emojis, a hallmark of generative‑AI‑aided coding. This aligns with Google’s 2025 revelation that MuddyWater has been experimenting with generative AI tools for custom malware development (source).

ThreatLocker illustration

The CHAR backdoor shares a development environment and code structure with the Rust‑based malware BlackBeard (also known as Archer RAT and RUSTRIC), previously flagged by CloudSEK and Seqrite Labs as MuddyWater’s tool for targeting entities in the Middle East.

Additional Observations

MuddyWater has been exploiting recently disclosed vulnerabilities on public‑facing servers to gain initial access.
The group continues to diversify its command‑and‑control (C2) infrastructure and adopt AI‑driven tooling.

“The MuddyWater APT group remains an active threat within the META (Middle East, Turkey, and Africa) region, with this operation primarily targeting organizations in the MENA region. Their continued adoption of AI technology, combined with custom malware development and diversified C2 infrastructures, underscores their dedication and intent to expand their operations.” – Group‑IB

Twitter:
LinkedIn:

Read more exclusive content we post on our social channels.

// Encode the article URL and title for sharing
var share_url   = encodeURIComponent('https://thehackernews.com/2026/02/muddywater-targets-mena-organizations.html');
var share_title = document.getElementsByTagName("title")[0].innerHTML;
share_title = encodeURIComponent(share_title);

Platform	Link
Facebook	`#link_share`
Twitter	`#link_share`
LinkedIn	`#link_share`
Reddit	`#link_share`
Hacker News	`#link_share`
Email	`#link_share`
WhatsApp	`#link_share`
Facebook Messenger	`#link_share`
Telegram	`#link_share`

MuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIP

New Malware Families

Typical Attack Chains

Kill‑Chain Illustration

AI‑Assisted Development

Additional Observations

Follow Us

Tags

Related posts

Microsoft Warns Developers of Fake Next.js Job Repos Delivering In-Memory Malware

Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration

RoguePilot Flaw in GitHub Codespaces Enabled Copilot to Leak GITHUB_TOKEN

UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware

New Malware Families

Typical Attack Chains

Kill‑Chain Illustration

AI‑Assisted Development

Additional Observations

Follow Us

Share This Article

Share Buttons

Tags

Related posts

Microsoft Warns Developers of Fake Next.js Job Repos Delivering In-Memory Malware

Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration

RoguePilot Flaw in GitHub Codespaces Enabled Copilot to Leak GITHUB_TOKEN

UAC-0050 Targets European Financial Institution With Spoofed Domain and RMS Malware