Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actorExploits 1 CVE

GhostBackDoor

GhostBackDoor is a second-stage backdoor associated with the Iranian state-linked threat actor MuddyWater (also tracked as Seedworm, Earth Vetala, Mango Sandstorm, MUDDYCOAST, TEMP.Zagros, TA450, and G0069). It was documented in MuddyWater’s Operation Olalampo campaign, first observed on January 26, 2026, which primarily targeted organizations and individuals across the Middle East and North Africa, with additional reporting tying related activity to sectors including diplomatic, maritime, energy, finance, telecom, and other critical infrastructure, including a UAE marine and energy company. In the reported attack chains, GhostBackDoor is delivered by the GhostFetch first-stage downloader, typically following phishing emails with malicious Microsoft Office attachments and macro-enabled lure documents; reporting also notes MuddyWater exploited recently disclosed vulnerabilities on public-facing servers for initial access in the broader campaign. GhostBackDoor is described as a persistent post-exploitation implant and secondary payload that provides interactive shell or remote command execution, file read/write and broader file manipulation capabilities, and the ability to re-run GhostFetch to fetch additional payloads. Multiple sources characterize it as an advanced backdoor or secondary implant used to maintain persistent access after initial compromise. High-confidence related malware and tooling mentioned alongside GhostBackDoor in the same campaign include GhostFetch, HTTP_VIP, CHAR, AnyDesk, Nuso, UDPGangster, LampoRAT, RustyWater, Phoenix, and Fooder loader. No specific GhostBackDoor file hashes, mutexes, domains, or other unique IOCs were provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-54068Unauthenticated RCE in Laravel Livewire v3 hydrationExploited in the wild

...the threat actor is said to have conducted four distinct waves of attack, leading to the deployment of various malware families, including GhostBackDoor and Nuso... | CVE-2025-54068 (CVSS score: 9.8) - A code injection vulnerability in Laravel Livewire that could allow unauthenticated attackers to achieve remote command execution in specific scenarios. (Fixed in July 2025)

via the hacker newsthehackernews.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
MuddyWater

MuddyWater's Operation Olalampo deployed GhostFetch as a first-stage in-memory downloader, HTTP_VIP as a Windows-native downloader using hardcoded C2s for AnyDesk RMM delivery, GhostBackDoor for persistent post-exploitation C2...

via centripetal threat researchcentripetal.ai
MITRE ATT&CK

Techniques & procedures

14 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1566PhishingEvidence3

From February to July 2024, more than 50 phishing emails were observed across 10+ sectors with hundreds of recipients.

T1566.001Spearphishing AttachmentEvidence5

Initial Access: Spear-phishing with malicious Word docs/VBA macros (T1566.001), macro execution (T1204.002).

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence4

"GhostBackDoor ... supports an interactive shell"; "retrieve instructions to start an interactive shell"

T1204.002Malicious FileEvidence4

Initial Access: Spear-phishing with malicious Word docs/VBA macros (T1566.001), macro execution (T1204.002).

Persistence

1 technique
T1547Boot or Logon Autostart ExecutionEvidence1

…GhostBackDoor malware… capable of remote command execution, file manipulation, and persistent access.

Privilege Escalation

1 technique
T1547Boot or Logon Autostart ExecutionEvidence1

…GhostBackDoor malware… capable of remote command execution, file manipulation, and persistent access.

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence1

Defense Evasion: Obfuscation, reflective loading, disabling security tools, living-off-the-land (T1027, T1620, T1562).

T1620Reflective Code LoadingEvidence3

Defense Evasion: Obfuscation, reflective loading, disabling security tools, living-off-the-land (T1027, T1620, T1562).

Credential Access

1 technique
T1555.003Credentials from Web BrowsersEvidence1

Credential Access & Collection: Browser credential dumping, system info gathering (T1555.003, T1082).

Discovery

1 technique
T1082System Information DiscoveryEvidence1

Credential Access & Collection: Browser credential dumping, system info gathering (T1555.003, T1082).

Command and Control

3 techniques
T1071.001Web ProtocolsEvidence3

TWINTALK, a C2 orchestrator that beacons via JWT-authenticated HTTPS with randomized delays (108–180 seconds).

T1102.002Bidirectional CommunicationEvidence1

"The campaign used phishing, post-exploitation tooling, and Telegram-based command and control..."

T1105Ingress Tool TransferEvidence2

"New malware families include the GhostFetch downloader... GhostFetch can deploy a second-stage backdoor named GhostBackDoor... Another variant uses the HTTP_VIP downloader to deploy AnyDesk"

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

Command & Control / Exfiltration: Custom C2 (HTTP, encrypted channels), data staging (T1071.001, T1041).

Other

1 technique
T1562Impair DefensesEvidence1

Defense Evasion: Obfuscation, reflective loading, disabling security tools, living-off-the-land (T1027, T1620, T1562).

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app
the hacker newsNews
Mar 21, 2026
CISA Flags Apple, Craft CMS, Laravel Bugs in KEV, Orders Patching by April 3, 2026

Backdoor malware deployed by MuddyWater during a sustained campaign against a UAE marine and energy company.

Read more
centripetal threat researchNews
Mar 20, 2026
Pre-Positioned Access: The Cyber Threat Behind the Iran… | Centripetal

A persistent post-exploitation backdoor/C2 component used by MuddyWater.

Read more
infosec writeupsNews
Mar 9, 2026
CTI Research: MuddyWater/Seedworm (Mango Sandstorm) | by Andrey Pautov | Mar, 2026 | InfoSec Write-ups

A backdoor deployed in the GhostFetch execution chain during Operation Olalampo.

Read more
osint team blogNews
Mar 8, 2026
Ukraine, Iran, and the New Sequencing of Hybrid War | by SIMKRA | Mar, 2026 | OSINT Team

A MuddyWater-associated backdoor family referenced as part of a January campaign leveraging phishing and Telegram-based C2 for covert access and persistence.

Read more
+11 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping14

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.