Home/Threat Actor/MoustachedBouncer
Threat Actor

MoustachedBouncer

moustachedbouncer · belarus · active since 2014

MoustachedBouncer (canonical ESET naming per Matthieu Faou's August 10, 2023 Black Hat USA 2023 conference presentation and WeLiveSecurity research blog disclosure) is a Belarus- aligned cyber-espionage cluster active publicly since at least November 2014 (oldest NightClub sample dates to November 19, 2014), one of the longest-running publicly- tracked Belarus-aligned clusters with operational mission objective operationally narrow to targeting only foreign embassies in Belarus.

ESET assesses with medium confidence Belarus-state-aligned operational interests.

signature adversary-in-the-middle (AitM) operational tradecraft at the internet service provider (ISP) level within Belarus since 2020, operationally requiring access to Belarusian ISP infrastructure practically achievable only through state-aligned cooperation with Belarusian telecommunications providers using SORM (System for Operative Investigative Activities) lawful interception system.

signature NightClub + Disco two-implant operational pattern with Disco used in conjunction with AitM attacks and NightClub used for victims where ISP-level traffic interception isn't possible (e.g., end-to-end encrypted VPN)

both implants support spying plugins (screenshotter, audio recorder, file stealer, keylogger, DNS-tunneling backdoor)

NightClub uses Czech Seznam.cz + Russian Mail.ru webmail services for SMTP + IMAP C&C communications with attackers' own created email accounts.

signature fake Windows Update redirect tradecraft enabled by ISP-level traffic tampering; per ESET telemetry targeted embassy staff of 4-5 countries (two from Europe, one from South Asia, one from Northeast Africa) since June 2017 with documented multi-year repeat targeting (one European diplomat compromised in November 2020 and again in July 2022)

low-confidence operational connection to Winter Vivern based on shared common C&C infrastructure features per ESET.

AitM tradecraft parallel to Turla and StrongPity ISP-level-trojanized-software- installer historical tradecraft.

fills Belarus-aligned foreign-embassy-surveillance specialization cell in the curated corpus, one of the few publicly-tracked Belarus- attributed clusters complementing winter_vivern_ta473's Russia-AND-Belarus dual-aligned tracking.

belarus confidence: high 7 aliases MITRE ATT&CK G1019 ↗
Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited0

Profile

MoustachedBouncer (canonical ESET naming per Matthieu Faou's August 10, 2023 Black Hat USA 2023 conference presentation and accompanying WeLiveSecurity research blog disclosure) is a Belarus-aligned cyber-espionage cluster active publicly since at least 2014, one of the longest-running publicly- tracked Belarus-aligned clusters with approximately 12 years of continuous operational tracking as of mid-2026. The cluster's operational mission objective is operationally narrow and distinctive: targeting only foreign embassies in Belarus. ESET assesses the cluster "with medium confidence" as "aligned with Belarus's interests" based on operational pattern alignment with Belarus state surveillance and counter-intelligence priorities.

The Belarus-aligned attribution is operationally supported by signature adversary-in-the-middle (AitM) operational tradecraft at the internet service provider (ISP) level within Belarus, operationally requiring access to Belarusian ISP infrastructure that is only practically achievable through state-aligned cooperation with Belarusian telecommunications providers. ESET assesses the cluster uses a "lawful interception system (such as SORM) to conduct its AitM operations", SORM was originally developed for Russian state surveillance and per Amnesty International "all telecommunications providers in Belarus are SORM-compatible.

" Operational phases: (1) NIGHTCLUB OPERATIONAL EMERGENCE ERA (November 2014
  • 2020). Oldest NightClub sample dates to November 19, 2014 (uploaded to VirusTotal from Ukraine). NightClub evolved from a simple backdoor in 2014 to a fully modular C++ implant using emails for C&C communications via free webmail services (Seznam.cz Czech + Mail.ru Russian). Since 2016, additional modules added: audio recording, screenshots, keylogging. (2) AITM-AT-ISP-LEVEL OPERATIONAL ESCALATION ERA (2020+). Operationally significant operational tradecraft escalation: starting in 2020, MoustachedBouncer began performing adversary-in-the-middle (AitM) attacks at the ISP level within Belarus. Concurrent operational deployment of second implant framework Disco, used in parallel with NightClub. (3) ESET BLACK HAT CANONICAL DISCLOSURE ERA (August 10, 2023). ESET researcher Matthieu Faou presented the canonical MoustachedBouncer disclosure at Black Hat USA 2023. (4) CONTINUED OPERATIONS ERA (2023-2026). Sustained operational tempo consistent with persistent foreign- embassy-surveillance mission objectives.
Signature operational tradecraft
  • AitM at ISP level via SORM lawful interception: the cluster's signature and most operationally distinctive tradecraft. Requires access to Belarusian ISP infrastructure practically achievable only through state-aligned cooperation with Belarusian telecommunications providers using SORM lawful interception. To compromise targets, MoustachedBouncer operators tamper with their victims' internet access (probably at the ISP level via SORM) to make Windows believe it's behind a captive portal. For IP ranges targeted by MoustachedBouncer, network traffic is redirected to a seemingly legitimate but fake Windows Update page. Zero-victim-interaction initial access enabled.
  • NightClub + Disco two-implant operational pattern: both implants operate in parallel; on a given compromised machine, only one is deployed at a time. Disco is used in conjunction with AitM attacks. NightClub is used for victims where traffic interception at the ISP level isn't possible (e.g., end-to-end encrypted VPN routing traffic outside Belarus). Both support spying plugins: screenshotter, audio recorder, file stealer, keylogger.
  • Free webmail C2 abuse: NightClub uses Czech webmail service Seznam.cz and Russian webmail provider Mail.ru for C&C communications via SMTP + IMAP protocols, ESET assesses attackers created their own email accounts rather than compromising legitimate ones.
  • DNS-tunneling C2 plugin: one NightClub plugin (ParametersParserer.dll) uses DNS tunneling via a custom protocol, adding data to exfiltrate as part of the subdomain name of the domain used in DNS requests.
  • Comprehensive embassy surveillance plugins: file stealing, drive monitoring (including external drives), audio recording, screen capture, keylogging.
  • SharpDisco C# dropper: facilitates deployment of two plugins via reverse shell to enumerate drives and exfiltrate files.
  • Fake Windows Update redirect tradecraft: highly effective per Matthieu Faou, "this fake Windows page comes up as soon as they start the computer. They have nothing to do except download the malware.".
  • Low-victim-count high-operational-security profile: "they're not compromising many victims, we only see a few targets per year" per Faou. Cluster operationally maintains very narrow targeting scope.
  • Long-running operational tempo with multi-year repeat targeting: cluster compromised one European diplomat twice (November 2020, July 2022), operationally demonstrating persistent multi-year targeting of high-value diplomatic targets.
Operational connections in the curated corpus
  • Low-confidence operational connection to Winter Vivern: ESET-assessed possible operational collaboration with Winter Vivern (curated separately as winter_vivern_ta473.yaml) based on shared common C&C infrastructure features, though TTPs and toolsets are very different. Suggests common infrastructure provider for both clusters.
  • AitM tradecraft parallel to Turla and StrongPity: Turla (curated separately as turla.yaml in this corpus) and StrongPity (Turkey-aligned) have historically employed similar AitM-at-ISP-level tradecraft, operationally placing MoustachedBouncer within the broader ISP-level-AitM cluster operational ecosystem. The cluster fills the Belarus-aligned foreign-embassy- surveillance specialization cell in this curated corpus, one of the few publicly-tracked Belarus-attributed clusters (most adjacent Belarus-aligned activity is tracked under broader Russia-aligned cluster naming or hybrid Russia- Belarus dual-aligned tracking like Winter Vivern). Operationally distinct through (a) Belarus-aligned with medium confidence (versus broader Russia-aligned attribution for most adjacent clusters); (b) signature AitM-at-ISP- level via SORM lawful interception tradecraft; (c) signature narrow targeting scope (foreign embassies in Belarus exclusively); (d) signature NightClub + Disco two-implant operational pattern; (e) approximately 12-year continuous operational tempo (one of the longest-running publicly- tracked clusters).

Aliases

7
moustachedbouncermoustached_bouncermoustached bouncermustachedbouncermustached bouncermoustachedbouncer_belarusmoustachedbouncer apt

Notable Campaigns

11
2023-2026Continued Operations Through 2023-2026
2023ESET Black Hat USA 2023 Canonical Disclosure (August 10, 2023)
2020-PresentDisco Implant Deployment Operational Pattern (2020-Present)
2020-PresentFake Windows Update AitM Redirect Tradecraft (Signature)
2020-2024Low-Confidence Operational Connection to Winter Vivern
2020-2022SharpDisco C# Dropper Operational Use (January 2020+)
2020AitM-at-ISP-Level Operational Emergence (2020)
2018-PresentTurla + StrongPity AitM Tradecraft Parallel (Operational Lineage)
2017-2022Embassy Staff Compromises Era (June 2017 - July 2022)
2014-2020NightClub Implant Evolution Era (2014-2020)
2014NightClub Operational Emergence (November 19, 2014)

Attribution & Reporting

Attributed by
ESETMandiantMicrosoft Threat Intelligence CenterCrowdStrikeRecorded Future Insikt GroupSOPHOS X-OpsTrend MicroSymantec / Broadcom Threat Hunter TeamSentinelOne / SentinelLabsAmnesty International (SORM lawful interception documentation)Ukrainian CERT-UA
Key reporting
reportESET (Matthieu Faou): MoustachedBouncer, Espionage against foreign diplomats in Belarus (August 10, 2023), canonical Black Hat USA 2023 conference presentation + ESET WeLiveSecurity research blog disclosure
reportESET Press Release: ESET Research discovers MoustachedBouncer targeting European and other diplomats in Belarus via network tampering at the ISP level (August 10, 2023)
reportDark Reading: MoustachedBouncer APT Spies on Embassies, Likely via ISPs (August 10, 2023)
reportSecurityWeek: MoustachedBouncer, Foreign Embassies in Belarus Likely Targeted via ISPs (August 11, 2023)
reportThe Hacker News: Researchers Uncover Years-Long Cyber Espionage on Foreign Embassies in Belarus (August 12, 2023)
reportThe Record from Recorded Future News: 'MoustachedBouncer' espionage hackers targeting embassies in Belarus (August 2023)
reportInfosecurity Magazine: New Cyber Threat 'MoustachedBouncer' Targets Embassies in Belarus (August 2023)
reportMandiant: Ghostwriter APT Attribution to Belarus (broader Belarus-aligned cluster ecosystem context)
reportMicrosoft Threat Intelligence: Belarus-Aligned Cluster Tracking
reportCrowdStrike Global Threat Report: Belarus-Aligned Cluster Tracking
reportRecorded Future Insikt Group: Belarus State-Aligned Cyber Operations Tracking
reportSOPHOS X-Ops: Belarus-Aligned Cluster Tracking
reportSymantec / Broadcom Threat Hunter Team: Belarus + Russia-Aligned APT Continued Tracking
reportSentinelLabs: Belarus-Aligned Cluster Operational Analysis
reportAmnesty International (2021): Biased, Flawed and Secretive, Government Attempts to Explain and Justify the Use of SORM Mass Surveillance (SORM lawful interception context)
reportUkrainian CERT-UA: Belarus-Aligned Cluster Tracking
reportMITRE ATT&CK Group G1019, MoustachedBouncer
reportMalpedia Actor Profile: MoustachedBouncer

Operational

State sponsor

Belarus-aligned cyber-espionage cluster, with attribution consistent with the Republic of Belarus state-aligned operational interests. ESET researchers (lead: Matthieu Faou) assess MoustachedBouncer "with medium confidence that they are aligned with Belarus's interests" per the canonical August 10, 2023 ESET research disclosure at Black Hat USA 2023 conference. The cluster is one of the longest- running publicly-tracked Belarus-aligned clusters, active since at least 2014, and is operationally distinguished from all other publicly-tracked clusters by its narrow operational targeting mission objective: targeting only foreign embassies in Belarus. The Belarus-aligned attribution is operationally supported by (a) signature exclusive targeting of foreign embassies physically located within Belarus territory.

(b) signature adversary-in-the-middle (AitM) operational tradecraft at the internet service provider (ISP) level within Belarus, operationally requiring access to Belarusian ISP infrastructure that is only practically achievable through state-aligned cooperation with Belarusian telecommunications providers; (c) ESET assessment that the cluster "uses a lawful interception system (such as SORM) to conduct its AitM operations", the SORM (System for Operative Investigative Activities) lawful interception system was originally developed for Russian state surveillance and per Amnesty International "all telecommunications providers in Belarus are SORM-compatible, as well".

(d) operational alignment patterns consistent with Belarus state surveillance and counter-intelligence priorities especially since the Russian invasion of Ukraine. ESET notes operational parallel to historical Turla (Russian state-aligned) and StrongPity AitM-at-ISP-level tradecraft, though the Belarus-vs-Russia distinction in MoustachedBouncer attribution is operationally maintained based on the exclusive Belarus-territory operational scope and Belarus- ISP-infrastructure dependence. ESET assesses with "low confidence" potential operational collaboration with Winter Vivern (curated separately as winter_vivern_ta473.yaml in this corpus), both clusters share "common C&C infrastructure features" suggesting a common entity may provide infrastructure to both. ESET also notes ties to the Russian hacking group Turla (also curated separately as turla.yaml). No formal attribution to a specific Belarusian government agency or intelligence-service unit has been publicly asserted by any government cybersecurity authority, the cluster has not been formally attributed to a specific Belarusian intelligence-service unit. The cluster is operationally distinct as one of the only Belarus-attributed clusters in the publicly-tracked cyber- threat-intelligence landscape (most adjacent Belarus- aligned activity is tracked under broader Russia-aligned cluster naming or under hybrid Russia-Belarus dual-aligned tracking like Winter Vivern). Mandiant has separately attributed Ghostwriter APT attacks to Belarus, the Ghostwriter cluster may be operationally adjacent to MoustachedBouncer though no formal operational connection between the two clusters has been publicly established.

Motivations
cyber_espionage_diplomatic_intelligence_collection, foreign_embassy_surveillance, belarus_state_aligned_counter_intelligence, diplomatic_communications_interception, foreign_diplomat_personal_communications_collection, belarus_geopolitical_intelligence_collection
Sectors
foreign_embassiesdiplomatic_missionsforeign_affairs_ministriesdiplomatic_staff_personal_devices
Regions
belarusforeign_embassies_in_belarus_two_europeanforeign_embassies_in_belarus_one_south_asianforeign_embassies_in_belarus_one_northeast_african

Techniques Used

60
T1003T1003.001T1005T1010T1012T1016T1020T1021T1021.002T1025T1027T1027.001T1027.002T1027.005T1027.013T1033T1036T1036.005T1039T1041T1048T1048.003T1053T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1068T1070T1070.004T1071T1071.001T1071.003T1071.004T1071.005T1074T1074.001T1078T1080T1082T1083T1090T1095T1102T1102.002T1106T1112T1113T1119T1123T1125T1129T1133T1140T1190T1204

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)55/60 · 91%
Analytics (MITRE CAR)25/60 · 41%
Runtime / container (Falco)7/60 · 11%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)15/60 · 25%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

1 mapped
S1089 · SharpDisco
Other tooling / TTPs (curation, not ATT&CK-mapped):
MAIL.RU WEBMAIL C2SEZNAM.CZ WEBMAIL C2SMTP EMAIL EXFILTRATION PROTOCOLSORM LAWFUL INTERCEPTION SYSTEM
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin