MoustachedBouncer

Threat Actor updated a month ago (2024-10-17T13:03:31.008Z)

Download STIX

Preview STIX

MoustachedBouncer, a threat actor first detailed in August 2023, is known for its cyberespionage activities primarily targeting foreign diplomats in Belarus. The group has been linked to at least four attacks on foreign embassies in Belarus since 2014, including two European nations, one from South Asia, and another from Africa. MoustachedBouncer's tactics involve adversary-in-the-middle (AitM) attacks executed through Belarusian internet service providers (ISPs). This approach allows the group to intercept and manipulate communications, posing significant threats to diplomatic entities within the country. The group's modus operandi includes the use of a specific Command and Control (C&C) protocol referred to as transport_http, an expression typically used by Russian-speaking threat actors such as Turla. This linguistic hint, along with the group's sophisticated tactics, suggests that the developers behind MoustachedBouncer may be Russian speakers. Furthermore, the group utilizes a C# developed dropper named SharpDisco to issue HTTP redirections, further enhancing their ability to control and monitor targeted systems. There are indications of a potential link between MoustachedBouncer and another threat actor known as Winter Vivern, although this connection is currently assessed with low confidence. The GoldenHowl malware, associated with these groups, underscores the danger of these attacks, capable of infiltrating even highly secure systems via USB-based methods. As MoustachedBouncer continues to exploit access to Belarus ISPs for espionage purposes, it remains a significant cybersecurity concern.

Description last updated: 2024-10-17T12:37:34.134Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

AITM

Windows

Apt

Espionage

Belarus

Eset

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The NightClub Malware is associated with MoustachedBouncer. The NightClub is a malware framework used by MoustachedBouncer, named so because it contains a C++ class called 'nightclub.' This malicious software is designed to exploit and damage victims' computer systems or devices without their knowledge. It can infiltrate systems through suspicious downloads,	Unspecified	2
The malware SharpDisco is associated with MoustachedBouncer.	is related to	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Turla Threat Actor is associated with MoustachedBouncer. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (	is related to	3
The Goldenhowl Threat Actor is associated with MoustachedBouncer. GoldenHowl is a sophisticated threat actor known for its diverse set of malicious capabilities. Identified as part of a broader campaign alongside GoldenDealer and GoldenRobo, this modular backdoor showcases various functionalities that pose significant threats to compromised systems. Its primary fu	Unspecified	2

Source Document References

Information about the MoustachedBouncer Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
ESET	a month ago	Mind the (air) gap: GoldenJackal gooses government guardrails
InfoSecurity-magazine	a month ago	Advanced Threat Group GoldenJackal Exploits Air-Gapped Systems
ESET	10 months ago	Cyber: The Swiss army knife of tradecraft
CERT-EU	a year ago	Winter Vivern APT exploits Rouncube zero-day in attacks on European entities
Checkpoint	a year ago	14th August – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	Winter Vivern’s Roundcube Zero-Day Exploits
CERT-EU	a year ago	Belarus Hackers Target Foreign Diplomats With Help of Local ISPs, Researchers Say - Slashdot
BankInfoSecurity	a year ago	Breach Roundup: Raccoon Stealer Makes a Comeback
CERT-EU	a year ago	Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers
CERT-EU	a year ago	Roundcube webmail zero-day exploited to spy on government entities (CVE-2023-5631) - Help Net Security
CERT-EU	a year ago	Winter Vivern APT Blasts Webmail Zero-Day Bug With One-Click Exploit
CERT-EU	a year ago	Unmasking MoustachedBouncer, an APT group spying on foreign embassies in Belarus
CERT-EU	a year ago	Belarus-Linked Hackers Target Diplomats, Likely With State Support
CERT-EU	a year ago	New Cyber Threat 'MoustachedBouncer' Targets Embassies in Belarus
DARKReading	a year ago	'MoustachedBouncer' APT Spies on Embassies, Likely via ISPs