MoustachedBouncer

Threat Actor updated 23 days ago (2024-11-29T13:50:57.029Z)
Download STIX
Preview STIX
MoustachedBouncer, a threat actor first detailed in August 2023, is known for its cyberespionage activities primarily targeting foreign diplomats in Belarus. The group has been linked to at least four attacks on foreign embassies in Belarus since 2014, including two European nations, one from South Asia, and another from Africa. MoustachedBouncer's tactics involve adversary-in-the-middle (AitM) attacks executed through Belarusian internet service providers (ISPs). This approach allows the group to intercept and manipulate communications, posing significant threats to diplomatic entities within the country. The group's modus operandi includes the use of a specific Command and Control (C&C) protocol referred to as transport_http, an expression typically used by Russian-speaking threat actors such as Turla. This linguistic hint, along with the group's sophisticated tactics, suggests that the developers behind MoustachedBouncer may be Russian speakers. Furthermore, the group utilizes a C# developed dropper named SharpDisco to issue HTTP redirections, further enhancing their ability to control and monitor targeted systems. There are indications of a potential link between MoustachedBouncer and another threat actor known as Winter Vivern, although this connection is currently assessed with low confidence. The GoldenHowl malware, associated with these groups, underscores the danger of these attacks, capable of infiltrating even highly secure systems via USB-based methods. As MoustachedBouncer continues to exploit access to Belarus ISPs for espionage purposes, it remains a significant cybersecurity concern.
Description last updated: 2024-10-17T12:37:34.134Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
AITM
Windows
Apt
Espionage
Belarus
Eset
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The NightClub Malware is associated with MoustachedBouncer. The NightClub is a malware framework used by MoustachedBouncer, named so because it contains a C++ class called 'nightclub.' This malicious software is designed to exploit and damage victims' computer systems or devices without their knowledge. It can infiltrate systems through suspicious downloads,Unspecified
2
The malware SharpDisco is associated with MoustachedBouncer. is related to
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Turla Threat Actor is associated with MoustachedBouncer. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (is related to
3
The Goldenhowl Threat Actor is associated with MoustachedBouncer. GoldenHowl is a sophisticated threat actor known for its diverse set of malicious capabilities. Identified as part of a broader campaign alongside GoldenDealer and GoldenRobo, this modular backdoor showcases various functionalities that pose significant threats to compromised systems. Its primary fuUnspecified
2
Source Document References
Information about the MoustachedBouncer Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more