MoustachedBouncer

Introduction

MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus. MoustachedBouncer ESET August 2023

Activities and Tactics

Targeted Sectors: Government

Country of Origin: 🏳️ Belarus

Risk Level: High

Incident Type: Espionage

Suspected Victims: Europe, Eastern Europe, South Asia, Northeast Africa

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

• T1059.001 PowerShell
• T1059.007 JavaScript
• T1027.002 Software Packing
• T1113 Screen Capture
• T1090 Proxy
• T1068 Exploitation for Privilege Escalation
• T1074.002 Remote Data Staging
• T1659 Content Injection
• T1655.001 Match Legitimate Name or Location

ATT&CK technique IDs (denormalized)

• T1027.002
• T1059.001
• T1059.007
• T1068
• T1074.002
• T1090
• T1113
• T1655.001
• T1659

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

• CyberGate
• Cyber Eye RAT

MITRE ATT&CK Software

• NightClub (S1090) — malware
• Disco (S1088) — malware
• SharpDisco (S1089) — malware

Attribution and Evidence

Country of Origin: Belarus Additional attribution information pending cataloguing.

References

[1] mitre-attack [2] MoustachedBouncer ESET August 2023 Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.