Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

Blub

Blub is a custom browser-data and credential-stealing malware used by the Iran-aligned cyberespionage group MuddyWater (also tracked as Mango Sandstorm and TA450). Reporting describes it as a C/C++ browser-data stealer deployed post-compromise alongside other credential theft tools such as CE-Notes and LP-Notes. Its documented capability is to extract login data from Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera browsers. Blub was observed in MuddyWater campaigns active between September 2024 and March 2025 that primarily targeted organizations in Israel, with at least one confirmed target in Egypt; affected sectors included technology, engineering, manufacturing, local government, and education. In the broader operation, initial access was typically obtained via spearphishing emails with PDF attachments linking to installers for legitimate remote monitoring and management tools hosted on file-sharing services such as OneHub, Egnyte, and Mega. No specific Blub indicators of compromise are provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
MuddyWater

As part of the operation, MuddyWater also deployed several custom credential stealers, including CE-Notes, LP-Notes, and Blub, to extract browser passwords, login credentials, and other sensitive data.

via dark readingdarkreading.com
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Credential Access

2 techniques
T1003OS Credential DumpingEvidence1

“MuddyViper enables… exfiltrate Windows login credentials… The campaign leverages additional credential stealers.”

T1555.003Credentials from Web BrowsersEvidence1

“CE-Notes… targets Chromium-based browsers… Blub… steals login data from Chrome, Edge, Firefox, and Opera browsers.”

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

“transfer files, and exfiltrate Windows login credentials and browser data.”

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
ctoatncsc substackNews
Dec 6, 2025
CTO at NCSC Summary: week ending December 7th

Browser-data stealer used in the described MuddyWater toolchain to collect browsing-related data.

Read more
the record mediaNews
Dec 2, 2025
Iran-linked hackers target Israeli, Egyptian critical infrastructure through phishing campaign | The Record from Recorded Future News

Browser credential stealer that extracts login data from Chrome, Edge, Firefox, and Opera.

Read more
help net securityNews
Dec 2, 2025
MuddyWater cyber campaign adds new backdoors in latest wave of attacks

Credential stealer that extracts login data from Chrome, Edge, Firefox, and Opera browsers.

Read more
the hacker newsNews
Dec 2, 2025
Iran-Linked Hackers Hits Israeli Sectors with New MuddyViper Backdoor in Targeted Attacks

A C/C++ browser-data stealer that collects user login data from major browsers.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.