MuddyWater has been in the APT business for some time now. And this time, it set its sights on organizations and individuals primarily across the MENA region, leveraging ongoing geopolitical tensions. Dubbed “Operation Olalampo,” the threat actors deployed new malware variants and used Telegram bots for C&C.

Group-IB published their analysis of the threat, including seven network IoCs comprising four domains and three IP addresses, which we further dove into. Note that we checked if any of the domains were owned by legitimate entities aided by the WhoisXML API MCP Server. None of them were so we did not exclude any of them in our investigation.

Our DNS exploration into the IoCs led to these findings:

• 10 unique potential victim IP addresses communicated with one of the IP addresses identified as IoCs
• 2,530 email-connected domains
• Six additional IP addresses, all of which turned out to be malicious
• 55 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Deep Dive into the Operation Olalampo Domain IoCs

We began our investigation by looking more closely at the four domains identified as IoCs.

We queried them on WHOIS API and found out that:

• They were created between 28 October 2025 and 2 February 2026, making them all relatively new when they were used for the campaign.

  

• They were all administered by Namecheap.
• They were all registered in Iceland.

DNS Chronicle API queries for the domains revealed that three recorded 27 historical domain-to-IP resolutions over time, consistent with their ages. Take a look at more information below.

An Investigation of the Operation Olalampo IP IoCs

We then sought for more information about the three IP addresses identified as IoCs.

First, sample network data from the IASC showed that 10 unique IP addresses possibly owned by victims under three distinct ASNs communicated with one of the IP addresses tagged as IoCs between 25 January and 25 February 2026

We queried them on Bulk IP Geolocation Lookup and discovered that:

• They were all geolocated in the U.S., a far cry from the registrant country.
• They were administered by two ISPs.

DNS Chronicle API queries for the IP addresses revealed that two recorded 1,017 historical IP-to-domain resolutions over time. Here are more details.

A DNS Sweep for New Operation Olalampo Artifacts

We then used a variety of solutions to gather as many new potentially connected artifacts as possible.

First, we queried the four domains identified as IoCs on WHOIS History API. We found out that all of them had seven unique email addresses in their historical WHOIS records. Further scrutiny revealed that one was a public email address.

A Reverse WHOIS API query for the sole public email address allowed us to collate 2,530 unique email-connected domains after those already tagged as IoCs were filtered out.

Next, we queried the domains named as IoCs on DNS Lookup API and discovered that three resolved to six unique additional IP addresses (i.e., not on the IoC list).

Threat Intelligence API queries for the additional IP addresses showed that all of them have already been weaponized for various attacks.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.