{ "id": "3959dcfc-29fb-42d6-9db6-14218726ee7a", "created_at": "2026-04-06T00:16:05.208689Z", "updated_at": "2026-04-10T03:33:36.314616Z", "deleted_at": null, "sha1_hash": "49c87716cede73f9944324aa862332183aaa4fe1", "title": "MoustachedBouncer: Espionage against foreign diplomats in Belarus", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1062658, "plain_text": "MoustachedBouncer: Espionage against foreign diplomats in Belarus\r\nBy Matthieu Faou\r\nArchived: 2026-04-05 13:09:04 UTC\r\nMoustachedBouncer is a cyberespionage group discovered by ESET Research and first publicly disclosed in this blogpost.\r\nThe group has been active since at least 2014 and only targets foreign embassies in Belarus. Since 2020,\r\nMoustachedBouncer has most likely been able to perform adversary-in-the-middle (AitM) attacks at the ISP level, within\r\nBelarus, in order to compromise its targets. The group uses two separate toolsets that we have named NightClub and Disco.\r\nKey points of this report:\r\nMoustachedBouncer has been operating since at least 2014.\r\nWe assess with medium confidence that they are aligned with Belarus's interests.\r\nMoustachedBouncer specializes in the espionage of foreign embassies in Belarus.\r\nMoustachedBouncer has used the adversary-in-the-middle technique since 2020 to redirect captive portal\r\nchecks to a C\u0026C server and deliver malware plugins via SMB shares.\r\nWe believe that MoustachedBouncer uses a lawful interception system (such as SORM) to conduct its AitM\r\noperations.\r\nWe assess with low confidence that MoustachedBouncer is closely cooperating with Winter Vivern, another\r\ngroup targeting European diplomats but using different TTPs.\r\nSince 2014, the group has been operating a malware framework that we have named NightClub. It uses the\r\nSMTP and IMAP (email) protocols for C\u0026C communications.\r\nStarting in 2020, the group has been using, in parallel, a second malware framework we have named\r\nDisco.\r\nBoth NightClub and Disco support additional spying plugins including a screenshotter, an audio recorder,\r\nand a file stealer.\r\nThe group's intricate tactics, techniques and procedures were also discussed on the ESET Research Podcast. Just\r\npress play to learn more from ESET's Director of Threat Research Jean-Ian Boutin and ESET Distinguished\r\nResearcher Aryeh Goretsky. \r\nVictimology\r\nAccording to ESET telemetry, the group targets foreign embassies in Belarus, and we have identified four different countries\r\nwhose embassy staff have been targeted: two from Europe, one from South Asia, and one from Africa. The key dates are\r\nshown in Figure 1.\r\nFigure 1. Timeline of MoustachedBouncer activities\r\nAttribution\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 1 of 25\n\nWhile we track MoustachedBouncer as a separate group, we have found elements that make us assess with low confidence\r\nthat they are closely collaborating with another group known as Winter Vivern. The latter was discovered in 2021 and is still\r\nactive as of 2023. In March 2023, Winter Vivern used a known XSS vulnerability (CVE-2022-27926) in the Zimbra mail\r\nportal in order to steal webmail credentials of diplomats of several European countries. This campaign was publicly\r\ndisclosed by Proofpoint researchers.\r\nMoustachedBouncer’s activity spans from 2014 to 2022 and the TTPs of the group have evolved over time. For example, we\r\nhave first seen them use AitM attacks only in 2020. However, the targeted vertical has stayed the same.\r\nTable 1 shows the characteristics of each campaign. Given these elements, we assess with high confidence that they are all\r\nlinked to MoustachedBouncer.\r\nTable 1. Connections between the MoustachedBouncer campaigns\r\nVirusTotal\r\n(2014)\r\nVictim A\r\n(2017)\r\nVictim B\r\n (2020-\r\n2022)\r\nVictim C\r\n(2020-\r\n2022)\r\nVictim D\r\n(2021-\r\n2022)\r\nNightClub implant X X X\r\nNightClub plugins X X X\r\nDisco implant X X\r\nSharpDisco dropper X\r\nCompromise via AitM ? ? ? ? X\r\nMalware delivery via AitM on SMB\r\nshares\r\nX X\r\nVictims: foreign embassies in Belarus ? X X X X\r\nCompromise vector: AitM\r\nIn this section, we detail the initial access for Disco. We don’t yet know the initial access method MoustachedBouncer uses\r\nto install NightClub.\r\nFake Windows Update\r\nTo compromise their targets, MoustachedBouncer operators tamper with their victims’ internet access, probably at the ISP\r\nlevel, to make Windows believe it’s behind a captive portal. Windows 10 checks whether it’s able to access the internet with\r\nan HTTP request to http://www.msftconnecttest.com/connecttest.txt. In case the answer is not Microsoft Connect Test, a\r\nbrowser window is opened to http://www.msftconnecttest.com/redirect . For IP ranges targeted by MoustachedBouncer, the\r\nnetwork traffic is tampered at the ISP level, and the latter URL redirects to a seemingly legitimate, but fake, Windows\r\nUpdate URL, http://updates.microsoft[.]com/. Hence, the fake Windows Update page will be displayed to a potential victim\r\nupon network connection. The fake update page is shown in Figure 2. The text we observed is in Russian, most likely\r\nbecause that is the main language used in Belarus, but it is possible that versions in other languages exist. The page indicates\r\nthat there are critical system security updates that must be installed.\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 2 of 25\n\nFigure 2. Fake Windows Update page\r\nNote that it is using unencrypted HTTP and not HTTPS, and that the updates.microsoft[.]com subdomain does not exist on\r\nMicrosoft’s nameservers, so it does not resolve on the open internet. During the attack, this domain resolved to\r\n5.45.121[.]106 on the target’s machine. This IP address is used for parking domains and is unrelated to Microsoft. Although\r\nthis is an internet-routable IP address, traffic to this IP never reaches the internet while the AitM attack is ongoing. Both the\r\nDNS resolutions and the HTTP replies were injected in transit, probably at the ISP level.\r\nAn important point is that the adversary-in-the-middle (AitM) technique only occurs against a few selected organizations\r\n(perhaps just embassies), not countrywide. It is not possible to reproduce the redirection by simply exiting from a random IP\r\naddress in Belarus.\r\nMalware delivery\r\nThe HTML page, shown in Figure 2, loads JavaScript code from http://updates.microsoft[.]com/jdrop.js. This script first\r\ncalls setTimeout to execute the function jdrop one second after the page has loaded. That function (see Figure 3) displays a\r\nmodal window with a button named Получить обновления (translation: Get updates).\r\nFigure 3. jdrop function\r\nA click on the button executes the update function, shown in Figure 4.\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 3 of 25\n\nFigure 4. update function\r\nThis function triggers the download of a fake Windows Update installer from the legitimate-seeming URL\r\nhttp://updates.microsoft[.]com/MicrosoftUpdate845255.zip. It also displays some instructions to install the update: Для\r\nустановки обновлений, скачайте и запустите \"MicrosoftUpdate845255.msi\". (translation: To install updates, download\r\nand run \"MicrosoftUpdate845255.msi\").\r\nWe were unable to retrieve the downloaded MicrosoftUpdate845255.zip file but our telemetry shows it contains a malicious\r\nexecutable named MicrosoftUpdate845255.exe.\r\nWritten in Go, it creates a scheduled task that executes \\\\35.214.56[.]2\\OfficeBroker\\OfficeBroker.exe every minute. Like\r\nthe path suggests, it fetches the executable via SMB from 35.214.56[.]2. This IP address belongs to a Google Cloud\r\ncustomer, but just like the HTTP server, we believe that SMB replies are injected on the fly via AitM and that the attackers\r\ndon’t control the actual internet-routable IP address.\r\nWe have also observed the following SMB servers, intercepted via AitM:\r\n\\\\209.19.37[.]184\r\n\\\\38.9.8[.]78\r\n\\\\59.6.8[.]25\r\nWe have observed this behavior in two separate ISP networks: Unitary Enterprise A1 and Beltelecom. This suggests that\r\nthose ISPs may not provide full data confidentiality and integrity. We strongly recommend that foreign organizations in\r\nBelarus use an end-to-end encrypted VPN tunnel, ideally out-of-band (i.e., not from the endpoint), providing internet\r\nconnectivity from a trusted network.\r\nFigure 5 depicts our hypothesis about the compromise vector and the traffic interception.\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 4 of 25\n\nFigure 5. Compromise via AitM scenario\r\nAitM – General thoughts\r\nThe AitM scenario reminds us of the Turla and StrongPity threat actors who have trojanized software installers on the fly at\r\nthe ISP level. \r\nUsually, this initial access method is used by threat actors operating in their own country because it requires significant\r\naccess inside the internet service providers, or their upstream providers. In many countries, security services are allowed to\r\nperform so-called “lawful interception” using special devices installed on the ISPs’ premises.\r\nIn Russia, a law from 2014 requires ISPs to install devices called SORM-3 that enable the Federal Security Service (FSB) to\r\nconduct targeted surveillance. The devices have deep packet inspection (DPI) capabilities and were likely used by Turla in\r\nits Mosquito campaign.\r\nIn 2018, the Citizen Lab revealed that DPI devices developed by the Canadian company Sandvine were used to modify\r\nHTTP traffic in Turkey and Egypt. In Turkey, the devices were allegedly used to redirect internet users to a malicious server\r\nwhen they tried to download certain Windows applications, which is in line with StrongPity activities. In Egypt, those\r\ndevices were allegedly used to inject ads and cryptocurrency mining scripts in order to generate money.\r\nIn 2020, a Bloomberg article revealed that Belarus’s National Traffic Exchange Center bought the same Sandvine DPI\r\nequipment, but according to a Cyberscoop article the contract was cancelled in September 2020.\r\nAccording to a report by Amnesty International published in 2021, “Under Belarusian law, all telecommunications providers\r\nin the country must make their hardware compatible with the SORM system”. They also state that “The SORM system\r\nallows the authorities direct, remote-control access to all user communications and associated data without notifying the\r\nprovider”. We assess with low confidence that MoustachedBouncer uses this SORM system to conduct its operations.\r\nWhile the compromise of routers in order to conduct AitM on embassy networks cannot be fully discarded, the presence of\r\nlawful interception capabilities in Belarus suggests the traffic mangling is happening at the ISP level rather than on the\r\ntargets’ routers.\r\nImplants: NightClub and Disco\r\nSince 2014, the malware families used by MoustachedBouncer have evolved, and a big change happened in 2020 when the\r\ngroup started to use AitM attacks. At the same time, it started to use much simpler tools developed in .NET and Go. In\r\nreference to NightClub, we named this new toolset Disco.\r\nMoustachedBouncer operates the two implant families in parallel, but on a given machine, only one is deployed at a time.\r\nWe believe that Disco is used in conjunction with AitM attacks while NightClub is used for victims where traffic\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 5 of 25\n\ninterception at the ISP level isn’t possible because of a mitigation such as the use of an end-to-end encrypted VPN where\r\ninternet traffic is routed outside of Belarus.\r\nDisco\r\nAs mentioned in the previous section, a fake Windows Update page delivers the first stage (SHA-1:\r\nE65EB4467DDB1C99B09AE87BA0A964C36BAB4C30). This is a simple dropper written in Go that creates a scheduled\r\ntask to execute \\\\35.214.56[.]2\\OfficeBroker\\OfficeBroker.exe every minute. OfficeBroker.exe is downloaded over the SMB\r\nprotocol via AitM attack. The dropper’s main function is shown in Figure 6.\r\nFigure 6. Main function of the Go dropper\r\nFinally, the dropper does a DNS query for windows.system.update[.]com. This domain does not exist but the DNS request is\r\nprobably intercepted via AitM, and is likely a beacon to notify the operators that the machine has been successfully\r\ncompromised.\r\nWe were unable to retrieve the OfficeBroker.exe file, but it is very likely that it acts as a downloader, since we have\r\nobserved further plugins being executed from SMB shares. The plugins are developed in Go and are rather simple because\r\nthey mostly rely on external Go libraries. Table 2 summarizes the different plugins.\r\nTable 2. Go plugins used by MoustachedBouncer in 2021–2022\r\nDownload URL / Path on disk Description\r\n\\\\209.19.37[.]184\\driverpack\\aact.exe\r\nTakes screenshots using the kbinani/screenshot library.\r\nScreenshots are saved in .\\AActdata\\\u003cd\u003e_\u003cs\u003e.dat (on the\r\nSMB share) where \u003cd\u003e is the active display number and\r\n\u003cs\u003e the date. It sleeps 15 seconds between each\r\nscreenshot.\r\nC:\\Users\\Public\\driverpack\\driverpackUpdate.exe\r\nExecutes PowerShell scripts with powershell.exe -\r\nNoProfile -NonInteractive \u003ccommand\u003e, where\r\n\u003ccommand\u003e is read from the file .\\idata. The output is\r\nwritten in .\\odata.\r\nC:\\Users\\Public\\driverpack\\sdrive.exe\r\nExecutes\r\nC:\\Users\\Public\\driverpack\\driverpackUpdate.exe (the\r\nplugin above) using elevated rights via CVE-2021-1732.\r\nThe code was likely inspired by a PoC on GitHub and\r\nuses the zydis code generation library.\r\n\\\\209.19.37[.]184\\driverpack\\officetelemetry.exe\r\nA reverse proxy strongly inspired by the GitHub\r\nrepository revsocks. We were unable to retrieve the\r\ncommand line parameters with the proxy IP address.\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 6 of 25\n\n\\\\38.9.8[.]78\\driverpack\\DPU.exe Another sample of the PowerShell plugin.\r\n%userprofile%\\appdata\\nod32update\\nod32update.exe Another sample of the reverse proxy plugin.\r\n\\\\59.6.8[.]25\\outlooksync\\outlooksync.exe\r\nTakes screenshots; it is similar to the first plugin. Images\r\nare saved in ./logs/${DATETIME}.dat.\r\n\\\\52.3.8[.]25\\oracle\\oracleTelemetry.exe Screenshot plugin packed with Themida.\r\nInterestingly, the plugins also use SMB shares for data exfiltration. There is no C\u0026C server outside the attackers’ premises\r\nto look at or to take down. There also seems to be no way to reach that C\u0026C server from the internet. This gives high\r\nresiliency to the attackers’ network infrastructure.\r\nSharpDisco and NightClub plugins\r\nIn January 2020 we observed a MoustachedBouncer dropper, which we named SharpDisco, being downloaded from\r\nhttps://mail.mfa.gov.\u003credacted\u003e/EdgeUpdate.exe by a Microsoft Edge process. It is not clear how attackers were able to\r\ntamper with HTTPS traffic, but it is possible an invalid TLS certificate warning was shown to the victim. Another possibility\r\nis that MoustachedBouncer compromised this governmental website.\r\nSharpDisco (SHA-1: A3AE82B19FEE2756D6354E85A094F1A4598314AB)\r\nSharpDisco is a dropper developed in C#. It displays a fake update window, shown in Figure 7, while creating two\r\nscheduled tasks in the background.\r\nFigure 7. Fake Microsoft Edge update window\r\nThese scheduled tasks are:\r\nWINCMDA.EXE and WINCMDB.EXE are probably just cmd.exe renamed. Every minute, the task reads what is in\r\n\\\\24.9.51[.]94\\EDGEUPDATE\\EDGEAIN (on the SMB share), pipes it to cmd.exe, and writes the output to\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 7 of 25\n\n\\\\24.9.51[.]94\\EDGEUPDATE\\EDGEAOUT. It is the same for the second task, but with the EDGEBIN and EDGEBOUT\r\nfiles. From a higher viewpoint, those tasks are reverse shells with a one-second latency.\r\nThen, as shown in Figure 8, the dropper sends a DNS request for an unregistered domain, edgeupdate-security-windows[.]com. This is similar to what the 2022 Disco dropper does.\r\nFigure 8. Dropper used in 2020\r\nESET telemetry shows that the reverse shell was used to drop a genuine Python interpreter in\r\nC:\\Users\\Public\\WinTN\\WinTN.exe. We then observed two plugins being dropped on disk by cmd.exe, which means they\r\nwere likely dropped by the reverse shell as well. The two plugins are:\r\nA recent-files stealer in C:\\Users\\Public\\WinSrcNT\\It11.exe\r\nAn external drive monitor in C:\\Users\\Public\\It3.exe\r\nIt is interesting to note that those plugins share code with NightClub (described in the section NightClub – 2017 (SHA-1:\r\nF92FE4DD679903F75ADE64DC8A20D46DFBD3B277) below). This allowed us to link the Disco and NightClub toolsets.\r\nRecent-files stealer (SHA-1: 0DAEA89F91A55F46D33C294CFE84EF06CE22E393)\r\nThis plugin is a Windows executable named It11.exe. We believe it was executed via the reverse shell mentioned above.\r\nThere is no persistence mechanism implemented in the plugin.\r\nIt gets the files recently opened on the machine by reading the content of the folder %USERPROFILE%\\Recent (on\r\nWindows XP) or of %APPDATA%\\Microsoft\\Windows\\Recent (in newer Windows versions). Those folders contain LNK\r\nfiles, each pointing to a recently opened file.\r\nThe plugin embeds its own LNK format parser in order to extract the path to the original file.\r\nWe were unable to make this plugin work, but static analysis shows that the files are exfiltrated to the SMB share\r\n\\\\24.9.51[.]94\\EDGEUPDATE\\update\\. The plugin maintains a list of already exfiltrated files, and their CRC-32 checksum,\r\nin %TEMP%\\index.dat. This likely avoids retransmitting the same file more than once.\r\nExternal drive monitor (SHA-1: 11CF38D971534D9B619581CEDC19319962F3B996)\r\nThis plugin is a Windows executable named It3.exe. As with the recent-files stealer, it doesn’t implement any persistence\r\nmechanism.\r\nThe plugin calls GetLogicalDrives in a loop to get a list of all connected drives, including removable ones such as USB\r\nkeys. Then, it does a raw copy of the NTFS volume of each removable drive and writes it in the current working directory,\r\nC:\\Users\\Public\\ in our example. The filename is a randomly generated string of six to eight alphanumeric characters, for\r\nexample heNNYwmY.\r\nIt maintains a log file in \u003cworking directory\u003e\\index.dat with the CRC-32 checksums of the copied disks.\r\nThe plugin doesn’t appear to have any exfiltration capabilities. It is likely that the staged drive dumps are later retrieved\r\nusing the reverse shell.\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 8 of 25\n\nNightClub\r\nSince 2014, MoustachedBouncer has been using a malware framework we named NightClub because it contains a C++ class\r\nnamed nightclub. We found samples from 2014, 2017, 2020, and 2022. This section describes the evolution of NightClub\r\nfrom a simple backdoor to a fully modular C++ implant.\r\nIn summary, NightClub is an implant family using emails for its C\u0026C communications. Since 2016, additional modules\r\ncould be delivered by email to extend its spying capabilities.\r\nNightClub – 2014\r\nThis is the oldest known version of NightClub. We found a dropper and an orchestrator.\r\nThe dropper (SHA-1: 0401EE7F3BC384734BF7E352C4C4BC372840C30D) is an executable named EsetUpdate-0117583943.exe, and it was uploaded to VirusTotal from Ukraine on 2014-11-19. We don’t know how it was distributed at\r\nthat time.\r\nThe main function, illustrated in Figure 9, loads the resource MEMORY and writes its content in\r\n%SystemRoot%\\System32\\creh.dll. It is stored in cleartext in the PE resource.\r\nFigure 9. Main function of the dropper\r\nThen, the dropper modifies the Creation, Access, and Write timestamps of creh.dll to those of the genuine Windows DLL\r\nuser32.dll.\r\nFinally, it creates a Windows service named WmdmPmSp and sets, in the registry, its ServiceDll to\r\n%SystemRoot%\\System32\\creh.dll – see Figure 10.\r\nFigure 10. Modification of the value ServiceDll\r\nThe previously dropped DLL, creh.dll (SHA-1: 5B55250CC0DA407201B5F042322CFDBF56041632) is the NightClub\r\norchestrator. It has a single export named ServiceMain and its PDB path is\r\nD:\\Programming\\Projects\\Work\\SwampThing\\Release\\Win32\\WorkingDll.pdb.\r\nIt is written in C++ and the names of some methods and classes are present in the RTTI data – see Figure 11.\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 9 of 25\n\nFigure 11. Method and class names from the RTTI data\r\nSome of the strings are encrypted using the following linear congruential generator (LCG): staten+1 = (690069 × staten + 1)\r\nmod 232. For each encrypted string, a seed (state0) between 0 and 255 is provided. To decrypt a string, the staten is\r\nsubtracted from each encrypted byten. An example of an encrypted string structure is shown in Figure 12.\r\nFigure 12. Encrypted string format\r\nA non-encrypted log file is present in C:\\Windows\\System32\\servdll.log. It contains very basic information about the\r\ninitialization of the orchestrator – see Figure 13.\r\nFigure 13. Log file\r\nNightClub has two main capabilities:\r\n• Monitoring files\r\n• Exfiltrating data via SMTP (email)\r\nFile monitor\r\nFunctionality implemented here is very close to that of the recent file monitor plugin seen in 2020 and described above. It\r\nalso browses the directories %USERPROFILE%\\Recent on Windows XP, and in newer Windows versions\r\n%APPDATA%\\Microsoft\\Windows\\Recent, and implements the same LNK parser – see Figure 14 and Figure 15.\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 10 of 25\n\nFigure 14. LNK parser (2014 sample – 5B55250CC0DA407201B5F042322CFDBF56041632)\r\nFigure 15. LNK parser (2020 sample – 0DAEA89F91A55F46D33C294CFE84EF06CE22E393)\r\nThe files retrieved from the LNK files are copied to %TEMP%\\\u003coriginal filename\u003e.bin. Note that unlike the 2020 variant,\r\nonly files with extensions .doc, .docx, .xls, .xslx, or .pdf are copied.\r\nIt also monitors removable drives in a loop, in order to steal files from them.\r\nSMTP C\u0026C communications\r\nNightClub uses the SMTP protocol to exfiltrate data. Even if C\u0026C communication by email is not unique to\r\nMoustachedBouncer and is also used by other adversaries such as Turla (see LightNeuron and the Outlook backdoor), it is\r\nquite rare. The code is based on the CSmtp project available on GitHub. The email accounts’ information is hardcoded,\r\nencrypted with the LCG algorithm. In the sample we analyzed, the mail configuration is:\r\n• SMTP server: smtp.seznam.cz\r\n• Sender address: glen.morriss75@seznam[.]cz\r\n• Sender password: \u003credacted\u003e\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 11 of 25\n\n• Recipient address: SunyaF@seznam[.]cz\r\nseznam.cz is a Czech web portal offering a free webmail service. We believe the attackers created their own email accounts,\r\ninstead of compromising legitimate ones.\r\nNightClub exfiltrates the files previously copied to %TEMP% by the file monitor functionality (FileMonitor in Figure 11).\r\nThey’re encoded in base64 and added as an attachment. The attachment name is the original filename with the .bin\r\nextension.\r\nFigure 16 shows the exfiltration of a file via SMTP. NightClub authenticates using the credentials for the \r\nglen.morriss75@seznam[.]cz account and sends an email to SunyaF@seznam[.]cz with the stolen file attached.\r\nFigure 16. TCP stream of the SMTP communication from our test machine\r\nNote that some headers that might look suspicious at first sight are the defaults from the CSmtp project, so they are probably\r\nnot distinctive. These include:\r\n• X-Mailer: The Bat! (v3.02) Professional\r\n• Content-Type: multipart/mixed; boundary=\"__MESSAGE__ID__54yg6f6h6y456345\"\r\nThe Bat! is an email client widely used in Eastern Europe. As such, the X-Mailer header likely blends in with email traffic in\r\nBelarus.\r\nNightClub – 2017 (SHA-1: F92FE4DD679903F75ADE64DC8A20D46DFBD3B277)\r\nIn 2017, we found a more recent version of NightClub, which was compiled on 2017-06-05. On the victim’s machine, it was\r\nlocated at C:\\Windows\\System32\\metamn.dll. Its filename in the DLL export directory is DownloaderService.dll, and it has\r\na single export named ServiceMain. It contains the PDB path\r\nD:\\AbcdMainProject\\Rootsrc\\Projects\\MainS\\Ink\\Release\\x64\\EtfFavoriteFinder.pdb. \r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 12 of 25\n\nTo persist, it creates a Windows service named WmdmPmSp, as in previous versions. Unfortunately, we have not been able\r\nto recover the dropper.\r\nThis NightClub version also includes a few C++ class and method names, including nightclub, in the RTTI data – see Figure\r\n17.\r\nFigure 17. Method and class names from the RTTI data of the 2017 NightClub version\r\nAs in previous versions, C\u0026C communications use the SMTP protocol, via the CSmtp library, with hardcoded credentials.\r\nIn the sample we analyzed, the mail configuration is:\r\n• SMTP server: smtp.mail.ru\r\n• Sender address: fhtgbbwi@mail[.]ru\r\n• Sender password: [redacted]\r\n• Recipient address: nvjfnvjfnjf@mail[.]ru\r\nThe main difference is that they switched the free email provider from Seznam.cz to Mail.ru.\r\nThis NightClub version uses external plugins stored in the folder %APPDATA%\\NvmFilter\\. They are DLLs named\r\n\u003crandom\u003e.cr (e.g., et2z7q0FREZ.cr) with a single export named Starts. We have identified two plugins: a keylogger and a\r\nfile monitor.\r\nKeylogger (SHA-1: 6999730D0715606D14ACD19329AF0685B8AD0299)\r\nThis plugin was stored in %APPDATA%\\NvmFilter\\et2z7q0FREZ.cr and is a DLL with one export, Starts. It contains the\r\nPDB path D:\\Programming\\Projects\\Autogen\\Kh\\AutogenAlg\\Release\\x64\\SearchIdxDll.pdb and was developed in C++.\r\nRTTI data shows a few class names – see Figure 18.\r\nFigure 18. Method and class names from the RTTI data of the NightClub keylogger plugin\r\nThe keylogger implementation is rather traditional, using the Windows GetKeyState API function – see Figure 19.\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 13 of 25\n\nFigure 19. NightClub keylogger\r\nThe keylogger maintains a cleartext log file in %TEMP%\\uirtl.tmp. It contains the date, the title of the application, and the\r\nlogged keystrokes for this specific application. An example, which we generated, is provided in Figure 20.\r\nFigure 20. Example of the output of the keylogger (generated by us)\r\nFile monitor (SHA-1: 6E729E84C7672F048ED8AE847F20A0219E917FA)\r\nThis plugin was stored in %APPDATA%\\NvmFilter\\sTUlsWa1.cr and is a DLL with a single export named Starts. Its PDB\r\npath, D:\\Programming\\Projects\\Autogen\\Kh\\AutogenAlg\\Release\\x64\\FileMonitoringModule.pdb, has not been stripped,\r\nand it reuses code from the 2014 and 2020 file monitors, described above. It monitors drives and recent files, and copies\r\nfiles for exfiltration to %TEMP%\\AcmSym\\rm. Its log file is stored in %TEMP%\\indexwti.sxd.\r\nNightClub – 2020–2022\r\nIn 2020-11, we observed a new version of NightClub deployed in Belarus, on the computers of the diplomatic staff of a\r\nEuropean country. In 2022-07, MoustachedBouncer again compromised some of the same computers. The 2020 and 2022\r\nversions of NightClub are almost identical, and the compromise vector remains unknown.\r\nIts architecture is slightly different from the previous versions, as the orchestrator also implements networking functions.\r\nThe second component, which its developers call the module agent, is only responsible for loading the plugins. All samples\r\nwere found in the folder %APPDATA%\\microsoft\\def\\ and are written in C++ with statically linked libraries such as CSmtp\r\nor cpprestsdk. As a result, the executables are quite large – around 5MB.\r\nOrchestrator\r\nOn the victims’ machines, both orchestrator variants (SHA-1: 92115E21E565440B1A26ECC20D2552A214155669 and\r\nD14D9118335C9BF6633CB2A41023486DACBEB052) were named svhvost.exe. We believe MoustachedBouncer tried to\r\nmasquerade as the name of the legitimate executable svchost.exe. For persistence, it creates a service named vAwast.\r\nContrary to previous versions, to encrypt the strings they simply add 0x01 to each byte. For example, the string cmd.exe\r\nwould be encrypted as dne/fyf. Another difference is that the configuration is stored in an external file, rather than hardcoded\r\nin the binary. It is stored in the hardcoded path %APPDATA%\\Microsoft\\def\\Gfr45.cfg and the data is decrypted with a\r\nprivate 2048-bit RSA key (see Figure 21) using the function BCryptImportKeyPair and BCryptDecrypt.\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 14 of 25\n\nFigure 21. Hardcoded private RSA key\r\nThe config is formatted in JSON, as shown in Figure 22. \r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 15 of 25\n\nFigure 22. NightClub external configuration format\r\nThe most important keys are transport and modules. The former contains information about the mailbox used for C\u0026C\r\ncommunications, as in the previous versions. The latter contains the list of modules.\r\nModule agent\r\nThe two variants of the module agent (SHA-1: DE0B38E12C0AF0FD63A67B03DD1F8C1BF7FA6128 and\r\nE6DE72516C1D4338D7E45E028340B54DCDC7A8AC) were named schvost.exe, which is another imitation of the\r\nsvchost.exe filename.\r\nThis component is responsible for starting the modules that are specified in the configuration. They are DLLs, each with an\r\nexport named Start or Starts. They are stored on disk unencrypted with the .ini extension, but actually are DLLs.\r\nModules\r\nOver the course of our investigation, we found five different modules: an audio recorder, two almost identical\r\nscreenshotters, a keylogger, and a DNS backdoor. For all of them: their configuration, which is formatted in JSON, is passed\r\nas an argument to the Start or Starts function.\r\nBy default, the output of the plugin is written in %TEMP%\\tmp123.tmp. This can be changed using the config field file.\r\nTable 3 shows the different plugins.\r\nTable 3. NightClub plugins\r\nDLL export name Configuration Description\r\nNotifyLoggers.dll\r\n{\r\n    \"name\":\"\u003cvalue\u003e\",\r\n    \"enabled\":\"\u003cvalue\u003e\",\r\n    \"max_size\":\"\u003cvalue\u003e\",\r\n    \"file\":\"\u003cvalue\u003e\",\r\n    \"chk_t\":\"\u003cvalue\u003e\",\r\n    \"r_d\":\"\u003cvalue\u003e\",\r\n    \"f_hs\":\"\u003cvalue\u003e\",\r\n    \"t_hs\":\"\u003cvalue\u003e\"\r\n}\r\nAn audio recorder that uses the Lame library, and\r\nmciSendStringW to control the audio device. The additional\r\nconfiguration fields are likely used to specify options for\r\nLame.\r\nMicroServiceRun.dll {\r\n    \"name\":\"\u003cvalue\u003e\",\r\n    \"enabled\":\"\u003cvalue\u003e\",\r\n    \"max_size\":\"\u003cvalue\u003e\",\r\n    \"file\":\"\u003cvalue\u003e\"\r\n   \r\n\"capture_on_key_press\":\"\r\n\u003cvalue\u003e\",\r\nA screenshotter that uses CreateCompatibleDC and\r\nGdipSaveImageToStream and writes captured images in file to\r\ndisk. If app_keywords is not empty, it uses\r\nGetForegroundWindow to check the name of the active\r\nWindow and capture it only if it matches app_keywords.\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 16 of 25\n\n\"period_in_sec\":\"\r\n\u003cvalue\u003e\",\r\n    \"quality\":\"\u003cvalue\u003e\",\r\n    \"app_keywords\":\"\r\n\u003cvalue\u003e\"\r\n}\r\nJobTesterDll.dll\r\n{\r\n    \"name\":\"\u003cvalue\u003e\",\r\n    \"enabled\":\"\u003cvalue\u003e\",\r\n    \"max_size\":\"\u003cvalue\u003e\",\r\n    \"file\":\"\u003cvalue\u003e\"\r\n}\r\nA keylogger that uses the GetKeyState API. It writes the log in\r\nfile to disk and the format is \u003cDate\u003e\u003cTitle bar\u003e\u003ccontent\u003e.\r\nParametersParserer.dll\r\n{\r\n    \"name\":\"\u003cvalue\u003e\",\r\n    \"enabled\":\"\u003cvalue\u003e\",\r\n    \"max_size\":\"\u003cvalue\u003e\",\r\n    \"file\":\"\u003cvalue\u003e\",\r\n    \"cc_server_address\":\"\r\n\u003cvalue\u003e\"\r\n}\r\nA DNS-tunneling backdoor. cc_server_address specifies the IP\r\naddress of a DNS server to which requests are sent. More\r\ndetails follow.\r\nThe DNS-tunneling backdoor (ParametersParserer.dll) uses a custom protocol to send and receive data from a malicious\r\nDNS server (cc_server_address). Figure 23 shows that the DNS request is sent to the IP address provided in the\r\nconfiguration, using the pExtra parameter of DnsQuery_A.\r\nFigure 23. DNS request to the C\u0026C server\r\nThe plugin adds the data to exfiltrate as part of the subdomain name of the domain that is used in the DNS request (pszName\r\nabove). The domain is always 11.1.1.cid and the data is contained in the subdomain. It uses the following format, where x is\r\nthe letter, not some variable:\r\nx + \u003cmodified base64(buffer)\u003e + x.11.1.1.cid\r\nFor example, the first DNS request the plugin sends is xZW1wdHkx.11.1.1.cid, where ZW1wdHk decodes to empty. \r\nNote that the base64 function is not standard. It removes the =, if any, from the result of the base64 encoding, and also\r\nreplaces / characters with -s and + characters with -p. This is to create valid subdomains, because standard base64 encoding\r\noutput can include +, / and = characters, all of which are invalid in domain names and could be detected in network traffic.\r\nThen, the plugin reads the result that should be one or many TXT DNS records, since the flag DNS_TYPE_TEXT is passed\r\nto DnsQuery_A. Microsoft names the underlying structure DNS_TXT_DATAA. It contains an array of strings, which are\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 17 of 25\n\nconcatenated to compute the output buffer.\r\nFigure 24. The plugin reads the TXT record\r\nThe expected format of the reply is:\r\nx + \u003cargument encoded with modified base64\u003e + x.\u003ccmd_id\u003e.\u003cunknown integer\u003e.1.\u003ccmd_name\u003e\r\nThis is similar to the format of the requests. The \u003cargument encoded with modified base64\u003e also uses the custom base64\r\nencoding without = and with -p for + and -s for /. \u003ccmd_name\u003e is an arbitrary string that is not used by the backdoor; it’s\r\nlikely used by the operators to keep track of the different commands. \u003ccmd_id\u003e is an integer that corresponds to a command\r\nin the backdoor switch statement. \r\nFor example, if the operators wanted to execute calc.exe, the DNS C\u0026C server would send the reply\r\nxYzpcd2luZG93c1xzeXN0ZW0zMlxjYWxjLmV4ZQx.27.2.1.calc, where\r\nYzpcd2luZG93c1xzeXN0ZW0zMlxjYWxjLmV4ZQ decodes to c:\\windows\\system32\\calc.exe and 27 is the command ID\r\nto create a new process. All commands supported by this backdoor are detailed in Table 4.\r\nTable 4. Commands implemented by the DNS backdoor\r\nID Description\r\n0x15 (21) Copy a directory (from a source to a destination)\r\n0x16 (22) Move a file (from a source to a destination)\r\n0x17 (23) Remove a file or a directory\r\n0x18 (24) Search a file for a given pattern (Note: we are unsure about the exact behavior of this command)\r\n0x19 (25) Write a buffer to a file\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 18 of 25\n\n0x1A (26) Read a file\r\n0x1B (27) Create a process\r\nThe result of the commands is exfiltrated back to the attacker using DNS requests, as detailed above. The only difference is\r\nthat 11 is replaced by 12 in the domain name, as shown in this example: xdGltZW91dAx.12.1.1.cid. In this case, the plugin\r\nsent the message timeout to the C\u0026C server.\r\nConclusion\r\nMoustachedBouncer is a skilled threat actor targeting foreign diplomats in Belarus. It uses quite advanced techniques for\r\nC\u0026C communications including network interception at the ISP level for the Disco implant, emails for the NightClub\r\nimplant, and DNS in one of the NightClub plugins.\r\nThe main takeaway is that organizations in foreign countries where the internet cannot be trusted should use an end-to-end\r\nencrypted VPN tunnel to a trusted location for all their internet traffic in order to circumvent any network inspection\r\ndevices.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nESET Research Podcast\r\nIf you want to know how ESET researchers named MoustachedBouncer and its tools Disco and NightClub, what makes this\r\ngroup worthy of the “advanced” label, or if employees of the targeted embassies could have brought the malware home from\r\nwork, then listen to the latest episode of the ESET Research podcast. ESET’s Director of Threat Research Jean-Ian Boutin\r\nexplains the intricacies of MoustachedBouncer to our host and ESET Distinguished Researcher Aryeh Goretsky. If you\r\nenjoy listening to cybersecurity topics, subscribe to our ESET Research podcast on Spotify, Google Podcasts, Apple\r\nPodcasts, or PodBean.\r\nIoCs\r\nFiles\r\nSHA-1 Filename Detection Desc\r\n02790DC4B276DFBB26C714F29D19E53129BB6186 index.html JS/TrojanDownloader.Agent.YJJ\r\nFake\r\nWin\r\nupda\r\nweb\r\n6EFF58EDF7AC0FC60F0B8F7E22CFE243566E2A13 jdrop.js JS/TrojanDownloader.Agent.YJJ\r\nJava\r\ncode\r\ntrigg\r\ndow\r\nprom\r\nfake\r\nWin\r\nupda\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 19 of 25\n\nE65EB4467DDB1C99B09AE87BA0A964C36BAB4C30 MicrosoftUpdate845255.exe WinGo/Agent.ET\r\nDisc\r\ndrop\r\n3A9B699A25257CBD0476CB1239FF9B25810305FE driverpackUpdate.exe WinGo/Runner.B\r\nDisc\r\nExe\r\nPow\r\nscrip\r\n19E3D06FBE276D4AAEA25ABC36CC40EA88435630 DPU.exe WinGo/Runner.C\r\nDisc\r\nExe\r\nPow\r\nscrip\r\n52BE04C420795B0D9C7CD1A4ACBF8D5953FAFD16 sdrive.exe Win64/Exploit.CVE-2021-1732.I\r\nDisc\r\nLPE\r\nfor C\r\n2021\r\n0241A01D4B03BD360DD09165B59B63AC2CECEAFB nod32update.exe WinGo/Agent.EV\r\nDisc\r\nRev\r\nprox\r\non r\r\nA01F1A9336C83FFE1B13410C93C1B04E15E2996C aact.exe WinGo/Spy.Agent.W\r\nDisc\r\nTake\r\nscre\r\nC2AA90B441391ADEFAA3A841AA8CE777D6EC7E18 officetelemetry.exe WinGo/Agent.BT\r\nDisc\r\nRev\r\nprox\r\non r\r\nC5B2323EAE5E01A6019931CE35FF7623DF7346BA oracleTelemetry.exe WinGo/Spy.Agent.W\r\nDisc\r\npack\r\nThem\r\nTake\r\nscre\r\nC46CB98D0CECCB83EC7DE070B3FA7AFEE7F41189 outlooksync.exe WinGo/Spy.Agent.W\r\nDisc\r\nTake\r\nscre\r\nA3AE82B19FEE2756D6354E85A094F1A4598314AB kb4480959_EdgeUpdate.exe MSIL/TrojanDropper.Agent.FKQ\r\nDisc\r\ndrop\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 20 of 25\n\n4F1CECF6D05571AE35ED00AC02D5E8E0F878A984 WinSrcNT.exe Win32/Nightclub.B\r\nNigh\r\nplug\r\nby D\r\nStea\r\nfiles\r\n0DAEA89F91A55F46D33C294CFE84EF06CE22E393 It11.exe Win32/Nightclub.B\r\nNigh\r\nplug\r\nby D\r\nStea\r\nfiles\r\n11CF38D971534D9B619581CEDC19319962F3B996 It3.exe Win32/Nightclub.B\r\nNigh\r\nplug\r\nby D\r\nMak\r\ndum\r\nrem\r\ndriv\r\nF92FE4DD679903F75ADE64DC8A20D46DFBD3B277 metamn.dll Win64/Nightclub.B\r\nNigh\r\n(201\r\nvers\r\n6999730D0715606D14ACD19329AF0685B8AD0299 et2z7q0FREZ.cr Win64/Nightclub.B\r\nNigh\r\nplug\r\nKey\r\n6E729E84C7672F048ED8AE847F20A0219E917FA3 sTUlsWa1.cr Win64/Nightclub.A\r\nNigh\r\nplug\r\nsteal\r\n0401EE7F3BC384734BF7E352C4C4BC372840C30D EsetUpdate-0117583943.exe Win32/Nightclub.C\r\nNigh\r\ndrop\r\n5B55250CC0DA407201B5F042322CFDBF56041632 creh.dll Win32/Nightclub.C\r\nNigh\r\n(201\r\nD14D9118335C9BF6633CB2A41023486DACBEB052 svhvost.exe Win32/Nightclub.D\r\nOrch\r\n(Nig\r\nE6DE72516C1D4338D7E45E028340B54DCDC7A8AC schvost.exe Win32/Nightclub.D\r\nMod\r\nagen\r\n(Nig\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 21 of 25\n\n3AD77281640E7BA754E9B203C8B6ABFD3F6A7BDD nullnat.ini Win32/Nightclub.D\r\nBack\r\nwith\r\ntunn\r\n(Nig\r\nplug\r\n142FF0770BC6E3D077FBB64D6F23499D9DEB9093 soccix.ini Win32/Nightclub.D\r\nKey\r\n(Nig\r\nplug\r\nFE9527277C06D7F986161291CE7854EE79788CB8 oreonion.ini Win32/Nightclub.D\r\nScre\r\n(Nig\r\nplug\r\n92115E21E565440B1A26ECC20D2552A214155669 svhvost.exe Win32/Nightclub.D\r\nOrch\r\n(Nig\r\nDE0B38E12C0AF0FD63A67B03DD1F8C1BF7FA6128 schvost.exe Win32/Nightclub.D\r\nMod\r\nagen\r\n(Nig\r\nD2B715A72BBA307CC9BF7690439D34F62EDF1324 sysleg.ini Win32/Nightclub.D\r\nRec\r\naudi\r\n(Nig\r\nplug\r\nDF8DED42F9B7DE1F439AEC50F9C2A13CD5EB1DB6 oreonion.ini Win32/Nightclub.D\r\nTake\r\nscre\r\n(Nig\r\nplug\r\nC\u0026C servers\r\nIP Domain First seen Comment\r\n185.87.148[.]86 centrocspupdate[.]com November 3, 2021 Suspected NightClub C\u0026C server.\r\n185.87.151[.]130 ocsp-atomsecure[.]com November 11, 2021 Suspected NightClub C\u0026C server.\r\n45.136.199[.]67 securityocspdev[.]com July 5, 2022 NightClub C\u0026C server.\r\n45.136.199[.]129 dervasopssec[.]com October 12, 2022 Suspected NightClub C\u0026C server.\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 22 of 25\n\n“Fake” domains used in AitM\r\nNote: These domains are used in a context where DNS queries are intercepted before reaching the internet. They do not\r\nresolve outside the context of the AitM attack.\r\nwindows.network.troubleshooter[.]com\r\nupdates.microsoft[.]com\r\nSMB share IP addresses while AitM is ongoing\r\nNote: These IP addresses are used in a context where traffic to them is intercepted before reaching the internet. These\r\ninternet-routable IP addresses are not malicious outside the context of the AitM attack.\r\n24.9.51[.]94\r\n35.214.56[.]2\r\n38.9.8[.]78\r\n52.3.8[.]25\r\n59.6.8[.]25\r\n209.19.37[.]184\r\nEmail addresses\r\nfhtgbbwi@mail[.]ru\r\nnvjfnvjfnjf@mail[.]ru\r\nglen.morriss75@seznam[.]cz\r\nSunyaF@seznam[.]cz\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 13 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nReconnaissance T1590.005\r\nGather Victim Network\r\nInformation: IP Addresses\r\nMoustachedBouncer operators have collected IP\r\naddresses, or address blocks, of their targets in order\r\nto modify network traffic for just those addresses.\r\nInitial Access T1189 Drive-by Compromise\r\nDisco is delivered via a fake Windows Update\r\nwebsite.\r\nExecution T1204.002\r\nUser Execution:\r\nMalicious File\r\nDisco needs to be manually executed by the victim.\r\nPersistence\r\nT1053.005\r\nScheduled Task/Job:\r\nScheduled Task\r\nDisco persists as a scheduled task that downloads an\r\nexecutable from a “fake” SMB share every minute.\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 23 of 25\n\nTactic ID Name Description\r\nT1543.003\r\nCreate or Modify System\r\nProcess: Windows Service\r\nNightClub persists as a ServiceDll of a service named\r\nWmdmPmSp.\r\nPrivilege\r\nEscalation\r\nT1068\r\nExploitation for Privilege\r\nEscalation\r\nDisco has a plugin to exploit the CVE-2021-1732\r\nlocal privilege escalation vulnerability.\r\nDefense Evasion T1140\r\nDeobfuscate/Decode Files\r\nor Information\r\nSince 2020, NightClub has used an external\r\nconfiguration file encrypted with RSA.\r\nCollection\r\nT1005 Data from Local System NightClub steals recent files from the local system.\r\nT1025\r\nData from Removable\r\nMedia\r\nNightClub steals files from the local system.\r\nT1056.001\r\nInput Capture:\r\nKeylogging\r\nNightClub has a plugin to record keystrokes.\r\nT1113 Screen Capture\r\nNightClub and Disco each have a plugin to take\r\nscreenshots.\r\nT1123 Audio Capture NightClub has a plugin to record audio.\r\nCommand and\r\nControl T1071.002\r\nApplication Layer\r\nProtocol: File Transfer\r\nProtocols\r\nDisco communicates via the SMB protocol.\r\nT1071.003\r\nApplication Layer\r\nProtocol: Mail Protocols\r\nNightClub communicates via the SMTP protocol.\r\nT1071.004\r\nApplication Layer\r\nProtocol: DNS\r\nOne of the NightClub plugins is a backdoor that\r\ncommunicates via DNS.\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nNightClub encodes files, attached to email, in base64.\r\nT1132.002\r\nData Encoding: Non-Standard Encoding\r\nNightClub encodes commands and responses sent via\r\nits DNS C\u0026C channel with a modified form of\r\nbase64.\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 24 of 25\n\nTactic ID Name Description\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nNightClub receives plugins in email attachments,\r\nencrypted using AES-CBC.\r\nT1557 Adversary-in-the-Middle\r\nMoustachedBouncer has performed AitM at the ISP\r\nlevel to redirect its targets to a fake Windows Update\r\npage. It has also done AitM on the SMB protocol to\r\ndeliver malicious files from “fake” servers.\r\nExfiltration T1041\r\nExfiltration Over C2\r\nChannel\r\nNightClub and Disco exfiltrate data over the C\u0026C\r\nchannel (SMTP, SMB, and DNS).\r\nImpact T1565.002\r\nData Manipulation:\r\nTransmitted Data\r\nManipulation\r\nMoustachedBouncer has modified the HTTP traffic\r\nfrom specific IP addresses at the ISP level in order to\r\nredirect its targets to a fake Windows Update page.\r\nSource: https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nhttps://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/\r\nPage 25 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA", "MITRE" ], "references": [ "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" ], "report_names": [ "moustachedbouncer-espionage-against-foreign-diplomats-in-belarus" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "23226bab-4c84-4c65-a8d1-7ac10c44b172", "created_at": "2023-04-27T02:04:45.463683Z", "updated_at": "2026-04-10T02:00:04.980143Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "TA473", "TAG-70", "UAC-0114", "UNC4907" ], "source_name": "ETDA:Winter Vivern", "tools": [ "APERETIF" ], "source_id": "ETDA", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "821cb2ce-472c-438f-943d-19cf23204d9a", "created_at": "2023-11-01T02:01:06.683709Z", "updated_at": "2026-04-10T02:00:05.39433Z", "deleted_at": null, "main_name": "MoustachedBouncer", "aliases": [ "MoustachedBouncer" ], "source_name": "MITRE:MoustachedBouncer", "tools": [ "SharpDisco" ], "source_id": "MITRE", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "7d9d90f3-001e-4adc-8a77-8f93b5d02b01", "created_at": "2023-09-07T02:02:47.575324Z", "updated_at": "2026-04-10T02:00:04.770856Z", "deleted_at": null, "main_name": "MoustachedBouncer", "aliases": [], "source_name": "ETDA:MoustachedBouncer", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e6704f3c-15d7-4e1d-b5a8-e33e7e9bd925", "created_at": "2023-11-04T02:00:07.660461Z", "updated_at": "2026-04-10T02:00:03.385093Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "TA-473", "UAC-0114", "TA473", "TAG-70" ], "source_name": "MISPGALAXY:Winter Vivern", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0e74afe0-92c3-4fca-93a4-d8e51180e105", "created_at": "2023-08-11T02:00:11.229735Z", "updated_at": "2026-04-10T02:00:03.37095Z", "deleted_at": null, "main_name": "MoustachedBouncer", "aliases": [], "source_name": "MISPGALAXY:MoustachedBouncer", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a20598c1-894c-4173-be6e-64a1ce9732bd", "created_at": "2024-11-01T02:00:52.652891Z", "updated_at": "2026-04-10T02:00:05.375678Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "Winter Vivern", "TA473", "UAC-0114" ], "source_name": "MITRE:Winter Vivern", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434565, "ts_updated_at": 1775792016, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/49c87716cede73f9944324aa862332183aaa4fe1.pdf", "text": "https://archive.orkl.eu/49c87716cede73f9944324aa862332183aaa4fe1.txt", "img": "https://archive.orkl.eu/49c87716cede73f9944324aa862332183aaa4fe1.jpg" } }