Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

LP-Notes

LP-Notes is a custom credential stealer associated with the Iran-aligned threat actor MuddyWater (also tracked as Mango Sandstorm and TA450). Reporting in the provided content places it in MuddyWater campaigns targeting organizations primarily in Israel, with at least one confirmed target in Egypt, across sectors including technology, engineering, manufacturing, local government, education, telecom, government, oil, and energy. LP-Notes was used post-compromise alongside other MuddyWater tooling such as the Fooder loader, the MuddyViper backdoor, CE-Notes, Blub, VAX One, and go-socks5 reverse tunnels.

The malware is described as a credential stealer written in C/C++. Its documented behavior includes stealing Windows credentials by presenting a fake Windows Security dialog box to trick users into entering their system username and password. Multiple sources in the content also describe LP-Notes as staging and verifying stolen credentials. It was used to extract login credentials and other sensitive data, and one cited artifact states that collected credentials were stored in C:\Users\Public\Downloads\lp-notes.txt.

High-confidence indicators and behaviors directly mentioned in the content include the malware name LP-Notes / LP Notes, use of a fake Windows Security prompt for credential theft, local staging of stolen credentials, and storage of collected credentials in C:\Users\Public\Downloads\lp-notes.txt. The content consistently links LP-Notes to MuddyWater operations observed from late 2024 into 2025.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
MuddyWater

The two stealers share the same design - although LP-Notes can steal Windows credentials by displaying a fake Windows Security dialog box.

via govinfosecuritygovinfosecurity.com
MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence1

"MuddyWater hackers in this campaign continued their usual practice of gaining access through phishing emails. The messages often contain PDF attachments with links to remote monitoring and management tools hosted on free file-sharing platforms."

Stealth

1 technique
T1027Obfuscated Files or InformationEvidence1

The content repeatedly describes adversaries using Base64, XOR, RC4, AES, hexadecimal encoding, string encryption, code flattening, custom crypters, and other obfuscation methods to hide payloads, strings, configuration data, URLs, and scripts.

Credential Access

4 techniques
T1003OS Credential DumpingEvidence1

“MuddyViper enables… exfiltrate Windows login credentials… The campaign leverages additional credential stealers.”

T1056.002GUI Input CaptureEvidence1

"LP-Notes can steal Windows credentials by displaying a fake Windows Security dialog box."

T1555.003Credentials from Web BrowsersEvidence2

"...stealing ... browser data..."

T1649Steal or Forge Authentication CertificatesEvidence1

The threat actor also downloaded credential stealers tracked as CE-Notes and LP-Notes.

Collection

2 techniques
T1056.002GUI Input CaptureEvidence1

"LP-Notes can steal Windows credentials by displaying a fake Windows Security dialog box."

T1074Data StagedEvidence1

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence2

"...enabling file execution and exfiltration."

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
ctoatncsc substackNews
Dec 6, 2025
CTO at NCSC Summary: week ending December 7th

Credential-stealing component used in the described MuddyWater toolchain.

Read more
scworldNews
Dec 3, 2025
MuddyWater targets Israel with new MuddyViper backdoor

Stealer used in the campaign (specific capabilities not detailed in the content).

Read more
the record mediaNews
Dec 2, 2025
Iran-linked hackers target Israeli, Egyptian critical infrastructure through phishing campaign | The Record from Recorded Future News

Credential-theft support tool used to stage and verify stolen credentials collected during the intrusion.

Read more
bank info securityNews
Dec 2, 2025
Iran Hackers Take Inspiration From Snake Video Game

A credential stealer used by MuddyWater that can steal Windows credentials by presenting a fake Windows Security dialog box.

Read more
+6 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.