MoustachedBouncer

Threat Actor updated 4 months ago (2024-05-04T20:49:24.401Z)

Download STIX

Preview STIX

MoustachedBouncer, a threat actor group based in Belarus, has been identified as a significant cybersecurity concern. As per the reports published by ESET in August 2023, this group is known for its sophisticated cyberespionage activities, primarily targeting foreign diplomats within Belarus. The group has demonstrated advanced capabilities, including leveraging access to Belarusian internet service providers (ISPs) to conduct "man in the middle" attacks on foreign entities. There's an assessment with medium confidence that MoustachedBouncer aligns with Belarus interests. The group's operations have been linked, albeit with low confidence, to another entity known as Winter Vivern. In addition, MoustachedBouncer is suspected of using a Russian-designed system for remote control access to all user communications, known as SORM. This system has reportedly enabled the group to issue HTTP redirection using a dropper developed in C#, named SharpDisco, further increasing their espionage capabilities. Since 2014, MoustachedBouncer has targeted at least four foreign embassies in Belarus, including two European nations, one from South Asia, and another from Africa. These activities highlight the group's persistent threat to international diplomacy and cybersecurity. It is crucial to continue monitoring the activities of such groups and develop robust countermeasures to protect sensitive information and infrastructure.

Description last updated: 2024-05-04T16:09:28.768Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

AITM

Malware

Espionage

Windows

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
NightClub	Unspecified	2	The malware named "NightClub" is a malicious software framework primarily used by an entity known as MoustachedBouncer, according to cybersecurity firm ESET. This framework was so named due to the presence of a C++ class called 'nightclub' within its code. ESET has identified that NightClub is typic

Source Document References

Information about the MoustachedBouncer Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
ESET	8 months ago	Cyber: The Swiss army knife of tradecraft
CERT-EU	a year ago	Winter Vivern APT exploits Rouncube zero-day in attacks on European entities
Checkpoint	a year ago	14th August – Threat Intelligence Report - Check Point Research
CERT-EU	10 months ago	Winter Vivern’s Roundcube Zero-Day Exploits
CERT-EU	a year ago	Belarus Hackers Target Foreign Diplomats With Help of Local ISPs, Researchers Say - Slashdot
BankInfoSecurity	a year ago	Breach Roundup: Raccoon Stealer Makes a Comeback
CERT-EU	a year ago	Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers
CERT-EU	a year ago	Roundcube webmail zero-day exploited to spy on government entities (CVE-2023-5631) - Help Net Security
CERT-EU	a year ago	Winter Vivern APT Blasts Webmail Zero-Day Bug With One-Click Exploit
CERT-EU	a year ago	Unmasking MoustachedBouncer, an APT group spying on foreign embassies in Belarus
CERT-EU	a year ago	Belarus-Linked Hackers Target Diplomats, Likely With State Support
CERT-EU	a year ago	New Cyber Threat 'MoustachedBouncer' Targets Embassies in Belarus
DARKReading	a year ago	'MoustachedBouncer' APT Spies on Embassies, Likely via ISPs