>samit_hota
Back to adversary profiles
G1019HighActive

MoustachedBouncer (G1019) Threat Profile: Belarusian Cyberespionage Group

Samit Hota·
Suspected Origin
Belarus
Motivation
Espionage
Aliases
None documented
Target Sectors
Government (Diplomatic)
Associated Malware
NightClub, Disco, SharpDisco
#threat-actor#g1019

Overview

MoustachedBouncer (G1019) is a cyberespionage group that has been actively targeting foreign embassies in Belarus since at least 2014. First publicly detailed by ESET Research in August 2023, the group is assessed with medium confidence to be aligned with the interests of the Belarusian government. This alignment is strongly suggested by their operational focus and the sophisticated adversary-in-the-middle (AitM) techniques employed, which likely leverage lawful interception capabilities at the internet service provider (ISP) level within Belarus. The group’s primary motivation is espionage, focusing specifically on collecting intelligence from diplomatic missions.

MoustachedBouncer primarily targets foreign embassies located within Belarus. While specific victim identities are not always disclosed, ESET has identified at least four countries whose embassy staff have been targeted, including two from Europe, one from South Asia, and one from Africa. The consistent targeting of diplomatic entities underscores the group’s state-sponsored nature and its clear mandate for intelligence gathering.

Tactics & Techniques

MoustachedBouncer’s operational methodology demonstrates a clear evolution, with a significant shift in tactics observed around 2020. Prior to this, their initial compromise methods are less clear, though an early NightClub dropper was observed in 2014. Since 2020, the group has most notably leveraged sophisticated adversary-in-the-middle (AitM) attacks, likely conducted at the ISP level within Belarus. This technique involves tampering with the victims’ internet access to manipulate Windows into believing it is behind a captive portal. Network traffic destined for specific IP ranges—presumably those associated with targeted embassies—is then redirected to a fake Windows Update page, which serves as a delivery mechanism for their malware.

The success of these ISP-level AitM attacks is attributed to MoustachedBouncer’s probable access to, or cooperation with, a lawful interception system, such as Belarus’s System of Operative-Investigative Measures (SORM), which mandates ISPs to install interception devices. This infrastructure allows for the selective redirection of traffic, ensuring that the AitM technique is only deployed against specific, high-value targets rather than broadly across the country. ESET researchers have even named specific Belarusian ISPs, Unitary Enterprise A1 and Beltelecom, as potentially involved in these operations.

Upon redirection, the fake Windows Update page prompts victims to download what appears to be a legitimate update package (often a zip archive with a filename like MicrosoftUpdate845255.exe). The victims are then socially engineered to manually extract the archive and launch a manifest executable. The group is aware of user interaction, with warning messages displayed on startup until the “fake updates” are installed, essentially coercing users into installation over time.

MoustachedBouncer also employs various techniques for execution and defense evasion. They utilize plugins to execute PowerShell scripts and JavaScript for malware delivery hosted on HTML pages. For privilege escalation, they have exploited vulnerabilities such as CVE-2021-1732. Their malware plugins are sometimes packed with Themida to complicate analysis and detection.

For command and control (C2), the group employs diverse methods. Their older NightClub implant primarily uses standard email protocols like SMTP and IMAP for C2 communications, often leveraging free email services such as Seznam.cz and Mail.ru. The operators are believed to create their own accounts for this purpose rather than compromising legitimate ones. Some NightClub plugins have also demonstrated DNS tunneling for C2. In contrast, the newer Disco implant, designed for AitM scenarios, utilizes network interception at the ISP level for its C2 communications. Additionally, the SMB protocol is used for delivering additional executables or plugins once initial compromise via the fake Windows Update page has occurred. For data exfiltration, MoustachedBouncer’s implants are equipped with capabilities for file stealing, screenshotting, and audio recording.

Notable Campaigns

MoustachedBouncer has maintained consistent activity since 2014, evolving its tactics over time. ESET’s monitoring of the group began in 2018 when one of its clients, a European embassy in Belarus, was targeted. A notable resurgence in activity occurred in February 2022, just four days prior to Russia’s full-scale invasion of Ukraine, when MoustachedBouncer targeted the Belarusian embassy of a European country involved in the conflict.

While MoustachedBouncer is tracked as a distinct entity, ESET has assessed with low confidence that the group may be closely cooperating with Winter Vivern, another espionage group known for targeting European diplomats. Despite having different tactics, techniques, and procedures (TTPs) and toolsets, some common C2 infrastructure features suggest a potential “weak link” or collaboration between the two groups. Winter Vivern, for instance, has been observed exploiting an XSS vulnerability (CVE-2022-27926) in the Zimbra mail portal to steal webmail credentials of diplomats in various European and Asian countries. This highlights the broader threat landscape in which MoustachedBouncer operates, potentially leveraging or sharing resources with other state-aligned actors. The AitM techniques employed by MoustachedBouncer also bear a resemblance to those used by more established threat actors like Turla and StrongPity.

Associated Malware & Tools

MoustachedBouncer utilizes two primary, parallel malware frameworks: NightClub and Disco, along with several associated plugins and components.

NightClub is the older of the two frameworks, active since 2014. Initially a simple backdoor, it has evolved into a fully modular C++ implant. NightClub’s C2 communications predominantly rely on email protocols such as SMTP and IMAP. It is equipped with modular plugins that enable a range of spying capabilities, including capturing screenshots, recording audio, and stealing files. Specifically, NightClub is configured to exfiltrate documents with extensions like .doc, .docx, .xls, .xlsx, and .pdf. This framework is typically deployed when ISP-level traffic interception, such as through an AitM attack, is not feasible, for example, if the victim is using an end-to-end encrypted VPN that routes traffic outside of Belarus.

Disco emerged around 2020, coinciding with the group’s adoption of AitM attacks. This framework comprises simpler tools, developed using .NET and Go, and is specifically designed to operate in conjunction with their ISP-level interception tactics. Like NightClub, Disco also supports various spying plugins to facilitate data exfiltration. A C# dropper named SharpDisco is used for HTTP redirection during AitM operations.

The shared plugins across both frameworks allow for consistent intelligence gathering. These plugins include:

  • Screenshotter: Captures screenshots of the compromised system, often saving them to .\AActdata\ on an SMB share.
  • Audio Recorder: Records audio from the compromised system’s microphone.
  • File Stealer: Identifies and exfiltrates files of interest, with a focus on documents.

MoustachedBouncer has also been observed using a reverse proxy tool similar to the GitHub repository revsocks, and its malware incorporates hardcoded, encrypted configuration data.

Current Status

MoustachedBouncer remains an active threat actor. The most recent public reporting from ESET in August 2023 confirms their ongoing operations, indicating a sustained cyberespionage campaign targeting diplomatic entities in Belarus. The group’s ability to evolve its TTPs, particularly with the integration of ISP-level AitM attacks, demonstrates a high level of sophistication and persistent operational capability. Organizations, particularly foreign embassies operating in Belarus, should remain vigilant and implement robust security measures, including comprehensive endpoint protection and the consistent use of end-to-end encrypted VPNs to route all internet traffic outside potentially compromised networks.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call