S1090: NightClub
NightClub is a modular implant written in C++ that has been used by MoustachedBouncer since at least 2014.[1]
Analyst context for executives and security teams
NightClub matters because ATT&CK describes it as a Windows modular C++ implant associated through relationships with long-running espionage activity. The practical concern is not a single exploit, but post-compromise capability: discovery, collection, credential capture via keylogging, local staging, command-and-control over DNS or mail protocols, and exfiltration over the C2 channel. For leaders, this is a coverage question: can the organization prove it would see a Windows implant behaving quietly across endpoint, registry, service, file, and network layers?
Executive priority
Prioritize NightClub as an espionage-style readiness test for Windows estates, especially where sensitive communications, diplomatic, regulated, or executive data are present. Because the ATT&CK object has no official detection guidance, leadership should ask for evidence of telemetry coverage and response procedures rather than assume tool coverage. This supports business continuity, compliance evidence, and incident decision-making by validating whether the SOC can detect collection, persistence, stealth, and unusual DNS/mail-based outbound activity before data leaves the environment.
Technical view
NightClub is listed as Windows malware, while its mapped behaviors include collection, discovery, command-and-control, exfiltration, persistence, privilege escalation, and defense evasion techniques. SOC and IR teams should validate detections around Windows service creation or modification, registry modification, process and file discovery, local data staging, suspicious file naming or locations, timestamp manipulation, tool transfer, keylogging indicators, screen/audio capture, and anomalous DNS or mail-protocol communications. The relationship to MoustachedBouncer provides threat-intelligence context, but local detection should be behavior-led because ATT&CK does not provide NightClub-specific detection logic.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows service creation, modification, and service configuration records
- Windows Registry modification telemetry
- File creation, rename, placement, metadata, and timestamp-change evidence
- Endpoint alerts or logs for keylogging, screen capture, audio capture, and peripheral interaction where available
Detection direction
- Do not rely on a NightClub signature alone; ATT&CK supplies no official detection text, so validate behavior-based coverage across the mapped techniques.
- Tune Windows service and registry detections to separate legitimate administration from unusual new services, modified service paths, suspicious descriptions, or persistence-like changes.
- Correlate discovery activity with later collection, staging, and outbound traffic rather than alerting on single benign commands in isolation.
- Review blind spots in DNS and mail-protocol monitoring, since these protocols are mapped as possible C2 channels and are often broadly allowed.
- Look for stealth context such as timestomping, masqueraded service names, or files placed/named to resemble legitimate resources.
Mitigation priorities
- Confirm complete Windows endpoint logging and retention for process, service, registry, file, and network events before tuning advanced analytics.
- Harden persistence paths by limiting who can create or modify Windows services and sensitive Registry locations.
- Apply least privilege and administrative access controls to reduce the value of registry, service, and local data access.
- Restrict and monitor outbound DNS and mail-protocol usage according to business need; investigate hosts that generate unusual protocol patterns.
- Use application control or allowlisting where feasible to reduce execution of unauthorized implants or transferred tools.
Analyst notes and limits
The supplied ATT&CK record identifies NightClub as a Windows modular implant written in C++ and used by MoustachedBouncer since at least 2014. Relationship mappings provide the most useful defensive context, showing behaviors across collection, discovery, C2, exfiltration, stealth, persistence, and registry/service activity. The associated group description notes cyberespionage activity targeting foreign embassies in Belarus, but this should be treated as context from ATT&CK, not as evidence of local targeting.
ATT&CK provides no official detection guidance, no aliases, no explicit tactics on the malware object, and no environment-specific indicators here. This take therefore focuses on behavior and control validation rather than confirmed detection logic, active exploitation, or customer exposure. Local asset inventory, logging architecture, DNS/mail routing, endpoint control configuration, and incident evidence are required to determine actual risk and coverage.
NightClub
NightClub is a modular implant written in C++ that has been used by MoustachedBouncer since at least 2014.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1543.003 | Windows Service Sub-technique | NightClub has created a Windows service named `WmdmPmSp` to establish persistence.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | NightClub can use SMTP and DNS for file exfiltration and C2.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | NightClub has chosen file names to appear legitimate including EsetUpdate-0117583943.exe for its dropper.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1005 | Data from Local System | NightClub can use a file monitor to steal specific files from targeted systems.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1106 | Native API | NightClub can use multiple native APIs including `GetKeyState`, `GetForegroundWindow`, `GetWindowThreadProcessId`, and `GetKeyboardLayout`.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1083 | File and Directory Discovery | NightClub can use a file monitor to identify .lnk, .doc, .docx, .xls, .xslx, and .pdf files.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1071.004 | DNS Sub-technique | NightClub can use a DNS tunneling plugin to exfiltrate data by adding it to the subdomain portion of a DNS request.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1070.006 | Timestomp Sub-technique | NightClub can modify the Creation, Access, and Write timestamps for malicious DLLs to match those of the genuine Windows DLL user32.dll.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1132.002 | Non-Standard Encoding Sub-technique | NightClub has used a non-standard encoding in DNS tunneling removing any `=` from the result of base64 encoding, and replacing `/` characters with `-s` and `+` characters with `-p`.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | NightClub can use emails for C2 communications.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | NightClub has created a service named `WmdmPmSp` to spoof a Windows Media service.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1010 | Application Window Discovery | NightClub can use `GetForegroundWindow` to enumerate the active window.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1056.001 | Keylogging Sub-technique | NightClub can use a plugin for keylogging.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1113 | Screen Capture | NightClub can load a module to call `CreateCompatibleDC` and `GdipSaveImageToStream` for screen capture.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1105 | Ingress Tool Transfer | NightClub can load multiple additional plugins on an infected host.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1027 | Obfuscated Files or Information | NightClub can obfuscate strings using the congruential generator `(LCG): staten+1 = (690069 × staten + 1) mod 232`.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1057 | Process Discovery | NightClub has the ability to use `GetWindowThreadProcessId` to identify the process behind a specified window.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1120 | Peripheral Device Discovery | NightClub has the ability to monitor removable drives.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1123 | Audio Capture | NightClub can load a module to leverage the LAME encoder and `mciSendStringW` to control and capture audio.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | NightClub has copied captured files and keystrokes to the `%TEMP%` directory of compromised hosts.CitationMoustachedBouncer ESET August 2023 |
| Enterprise | T1112 | Modify Registry | NightClub can modify the Registry to set the ServiceDLL for a service created by the malware for persistence.CitationMoustachedBouncer ESET August 2023 |
Groups, software, and campaigns
G1019: MoustachedBouncer
MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9a6bcfdfc1f5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MoustachedBouncer ESET August 2023
Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
Open source URL -
[2]
mitre-attack S1090Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.