S1089: SharpDisco
SharpDisco is a dropper developed in C# that has been used by MoustachedBouncer since at least 2020 to load malicious plugins.[1]
Analyst context for executives and security teams
SharpDisco matters because it is a Windows C# dropper associated in ATT&CK with loading malicious plugins, not just a standalone malware name. For leaders, the practical risk is that a dropper can be an entry point for follow-on collection, discovery, persistence, command-and-control, tool transfer, and exfiltration behaviors. ATT&CK links it to MoustachedBouncer, a cyberespionage group described as targeting foreign embassies in Belarus, so relevance is highest for organizations with diplomatic, government, regional, or high-sensitivity operations connected to that threat context.
Executive priority
Treat this as a readiness and evidence question: can the organization prove it would see a suspicious Windows dropper progressing into scheduled-task persistence, command-shell execution, file and storage discovery, plugin/tool transfer, and exfiltration over an existing C2 channel? Because MITRE provides no official detection guidance for SharpDisco, leaders should prioritize validation of endpoint, network, and incident-response evidence rather than assuming named-malware coverage exists.
Technical view
SharpDisco is documented as Windows malware and a C# dropper used to load malicious plugins. ATT&CK relationships tie it to Windows Scheduled Task, Windows Command Shell, Native API, Hidden Window, discovery of files/directories, peripherals, and local storage, ingress tool transfer, file-transfer-protocol C2, local data collection, and exfiltration over C2. SOC and IR teams should validate behavior-based visibility across that chain, with special attention to Windows hosts where scheduled tasks, command execution, unusual file enumeration, plugin-like payload loading, and outbound transfer activity occur together.
Likely telemetry
- Windows process creation and command-line telemetry, especially cmd.exe and child-process relationships
- Windows scheduled task creation, modification, and execution events
- Endpoint file-system telemetry for broad file, directory, local storage, and sensitive data access
- Endpoint telemetry for C#/.NET execution patterns and suspicious loading of additional components or plugins
- API-level or EDR telemetry related to process, memory, window, and execution behavior
Detection direction
- Build detections around behavior combinations rather than the SharpDisco name alone, because ATT&CK supplies no official detection text.
- Correlate scheduled-task activity with command-shell execution, hidden-window-style execution, new files or plugins, and outbound network transfer behavior.
- Tune discovery detections for unusual or high-volume file, directory, drive, peripheral, or storage enumeration from non-administrative or unexpected processes.
- Review outbound file-transfer and C2-like traffic in context of endpoint activity to distinguish legitimate administration from suspicious tool transfer or exfiltration over the same channel.
- Prioritize Windows endpoint coverage; related ATT&CK techniques list multiple platforms, but this malware object is specified for Windows.
Mitigation priorities
- First confirm Windows endpoint logging and EDR coverage for process execution, scheduled tasks, file access, and network connections.
- Restrict and monitor scheduled task creation and command-shell use, especially where not required for business operations.
- Limit unnecessary outbound file-transfer protocols and inspect egress paths used for command-and-control or data movement.
- Apply least privilege and application control principles to reduce unauthorized droppers, plugins, and transferred tools from executing.
- Prepare IR playbooks to collect scheduled-task data, process trees, dropped files, plugin artifacts, and network session evidence from suspected Windows hosts.
Analyst notes and limits
The decision value is in validating coverage across the behaviors SharpDisco is related to in ATT&CK: execution, persistence via scheduled tasks, discovery, collection, command-and-control, ingress tool transfer, and exfiltration. The group relationship to MoustachedBouncer provides useful prioritization context, particularly for diplomatic targets, but should not be treated as evidence of compromise in any specific environment.
MITRE provides no official detection guidance, no aliases, no ATT&CK tactics directly on the malware object, and only Windows as the malware platform. Several related techniques have broader platform lists, but platform claims for SharpDisco should remain Windows-focused. Local environment telemetry, baselines, and incident evidence are required to determine exposure or activity.
SharpDisco
SharpDisco is a dropper developed in C# that has been used by MoustachedBouncer since at least 2020 to load malicious plugins.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053.005 | Scheduled Task Sub-technique | SharpDisco can create scheduled tasks to execute reverse shells that read and write data to and from specified SMB shares.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | SharpDisco can hide windows using `ProcessWindowStyle.Hidden`.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1005 | Data from Local System | SharpDisco has dropped a recent-files stealer plugin to `C:\Users\Public\WinSrcNT\It11.exe`.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | SharpDisco can load a plugin to exfiltrate stolen files to SMB shares also used in C2.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | SharpDisco has the ability to transfer data between SMB shares.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1680 | Local Storage Discovery | SharpDisco can use a plugin to enumerate system drives.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | SharpDisco can use `cmd.exe` to execute plugins and to send command output to specified SMB shares.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1106 | Native API | SharpDisco can leverage Native APIs through plugins including `GetLogicalDrives`.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1120 | Peripheral Device Discovery | SharpDisco has dropped a plugin to monitor external drives to `C:\Users\Public\It3.exe`.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1105 | Ingress Tool Transfer | SharpDisco has been used to download a Python interpreter to `C:\Users\Public\WinTN\WinTN.exe` as well as other plugins from external sources.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1083 | File and Directory Discovery | SharpDisco can identify recently opened files by using an LNK format parser to extract the original file path from LNK files found in either `%USERPROFILE%\Recent` (Windows XP) or `%APPDATA%\Microsoft\Windows\Recent` (newer Windows versions) .CitationMoustachedBouncer ESET August 2023 |
Groups, software, and campaigns
G1019: MoustachedBouncer
MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1a262e97cbc8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MoustachedBouncer ESET August 2023
Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
Open source URL -
[2]
mitre-attack S1089Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.