Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

HTTP_VIP

HTTP_VIP is a native Windows downloader associated with the Iranian state-linked threat actor MuddyWater in Group-IB’s Operation Olalampo, first observed in January 2026. It was delivered through phishing campaigns using malicious Microsoft Office documents and macro-enabled lures, including themed documents such as airline tickets and reports, after victims were tricked into enabling macros. In documented attack chains, HTTP_VIP served as an initial downloader and command-and-control communicator that conducted system reconnaissance, connected to hardcoded external infrastructure including codefusiontech[.]org to authenticate, and deployed the legitimate remote management tool AnyDesk from the C2 server. Reported newer variants were capable of gathering victim information and instructions, executing commands via an interactive shell, transferring files, capturing clipboard contents, and updating sleep or beaconing intervals. The malware was part of a broader MuddyWater toolset in the campaign that also included GhostFetch, GhostBackDoor, and the Rust-based CHAR backdoor. Operation Olalampo primarily targeted organizations and individuals across the Middle East and North Africa, with broader reporting linking MuddyWater targeting to diplomatic, maritime, financial, telecom, and critical infrastructure sectors in countries including Israel, Egypt, the UAE, and Turkmenistan. A known infrastructure indicator directly mentioned for HTTP_VIP is codefusiontech[.]org.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
MuddyWater

MuddyWater's Operation Olalampo deployed GhostFetch as a first-stage in-memory downloader, HTTP_VIP as a Windows-native downloader using hardcoded C2s for AnyDesk RMM delivery...

via centripetal threat researchcentripetal.ai
MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence3

From February to July 2024, more than 50 phishing emails were observed across 10+ sectors with hundreds of recipients.

T1566.001Spearphishing AttachmentEvidence7

Initial Access: Spear-phishing with malicious Word docs/VBA macros (T1566.001), macro execution (T1204.002).

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence1

"GhostBackDoor ... supports an interactive shell"; "retrieve instructions to start an interactive shell"

T1204.002Malicious FileEvidence6

Initial Access: Spear-phishing with malicious Word docs/VBA macros (T1566.001), macro execution (T1204.002).

Discovery

1 technique
T1082System Information DiscoveryEvidence3

"GhostFetch ... profiles the system"; "HTTP_VIP ... conducts system reconnaissance"; "adds the ability to retrieve victim information"

Collection

1 technique
T1115Clipboard DataEvidence1

"capture clipboard contents"

Command and Control

5 techniques
T1071Application Layer ProtocolEvidence1

Sekoia TDR (July 2024) independently documented the same implant under the name MuddyRot, with matching characteristics: mutex “DocumentUpdater,” TCP port 443, and identical string obfuscation logic.

T1071.001Web ProtocolsEvidence5

Command & Control / Exfiltration: Custom C2 (HTTP, encrypted channels), data staging (T1071.001, T1041).

T1102.002Bidirectional CommunicationEvidence1

"The campaign used phishing, post-exploitation tooling, and Telegram-based command and control..."

T1105Ingress Tool TransferEvidence2

"GhostFetch ... fetches and executes secondary payloads directly in memory"; "GhostFetch downloader, which then downloads GhostBackDoor"; "HTTP_VIP ... authenticate and deploy AnyDesk from the C2 server"

T1219Remote Access ToolsEvidence2

"...HTTP_VIP downloader that subsequently deploys the AnyDesk remote desktop software."

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

Command & Control / Exfiltration: Custom C2 (HTTP, encrypted channels), data staging (T1071.001, T1041).

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app
centripetal threat researchNews
Mar 20, 2026
Pre-Positioned Access: The Cyber Threat Behind the Iran… | Centripetal

A Windows-native downloader used by MuddyWater to deliver AnyDesk RMM via hardcoded C2 infrastructure.

Read more
breakglass intelNews
Mar 12, 2026
MuddyWater's "mazafakaerindahouse" Campaign: An 873-Byte Python Dropper, 6 OPSEC Failures, and a Russian Cybercrime False Flag - Breakglass Intelligence - Breakglass Intelligence

Named tool/malware referenced as part of MuddyWater's Operation Olalampo in January 2026.

Read more
infosec writeupsNews
Mar 9, 2026
CTI Research: MuddyWater/Seedworm (Mango Sandstorm) | by Andrey Pautov | Mar, 2026 | InfoSec Write-ups

A named malware/tool in an Olalampo attack chain preceding AnyDesk deployment.

Read more
osint team blogNews
Mar 8, 2026
Ukraine, Iran, and the New Sequencing of Hybrid War | by SIMKRA | Mar, 2026 | OSINT Team

A MuddyWater-associated malware family mentioned in connection with a pre-strike espionage/persistence campaign using phishing and Telegram-based command and control.

Read more
+10 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.