Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

CE-Notes

CE-Notes is a credential- and browser-data stealer used by the Iran-aligned cyberespionage group MuddyWater (also tracked as Mango Sandstorm and TA450) in campaigns observed by ESET from 2024 onward. It was deployed post-compromise alongside other MuddyWater tooling such as the Fooder loader, the MuddyViper backdoor, LP-Notes, Blub, and reverse SOCKS5 tunneling utilities. High-confidence reporting states that CE-Notes targets Chromium-based browsers and is used to extract browser passwords, login credentials, and other sensitive data. Reporting also states that CE-Notes attempts to bypass Google Chrome's app-bound encryption by stealing the encryption key stored in the Local State file of Chromium-based browsers. ESET first observed CE-Notes in 2024. In the referenced MuddyWater activity, the broader intrusion set targeted organizations primarily in Israel, with at least one confirmed target in Egypt, including victims in technology, engineering, manufacturing, local government, education, and in some reporting telecom, government, oil, energy, transportation, utilities, and universities. Initial access in the campaign was typically achieved through spearphishing emails with PDF attachments that linked victims to legitimate remote monitoring and management tool installers hosted on free file-sharing services such as OneHub, Egnyte, and Mega. No standalone CE-Notes-specific indicators of compromise are provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
MuddyWater

The threat actor also downloaded credential stealers tracked as CE-Notes and LP-Notes. Eset first observed CE-Notes in 2024.

via govinfosecuritygovinfosecurity.com
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence1

"MuddyWater hackers in this campaign continued their usual practice of gaining access through phishing emails. The messages often contain PDF attachments with links to remote monitoring and management tools hosted on free file-sharing platforms."

Credential Access

3 techniques
T1003OS Credential DumpingEvidence1

“MuddyViper enables… exfiltrate Windows login credentials… The campaign leverages additional credential stealers.”

T1555.003Credentials from Web BrowsersEvidence2

"...stealing ... browser data..."

T1649Steal or Forge Authentication CertificatesEvidence1

The threat actor also downloaded credential stealers tracked as CE-Notes and LP-Notes.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence2

"...enabling file execution and exfiltration."

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
ctoatncsc substackNews
Dec 6, 2025
CTO at NCSC Summary: week ending December 7th

Browser-data stealer used in the described MuddyWater toolchain to collect browser-resident data.

Read more
scworldNews
Dec 3, 2025
MuddyWater targets Israel with new MuddyViper backdoor

Stealer used in the campaign (specific capabilities not detailed in the content).

Read more
the record mediaNews
Dec 2, 2025
Iran-linked hackers target Israeli, Egyptian critical infrastructure through phishing campaign | The Record from Recorded Future News

Credential stealer used post-compromise to target Chromium-based browsers and harvest stored credentials/data.

Read more
bank info securityNews
Dec 2, 2025
Iran Hackers Take Inspiration From Snake Video Game

A credential stealer used by MuddyWater. It shares the same design as LP-Notes and is used to steal credentials.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.