top of page

MoustachedBouncer: A Belarus-Aligned Cyberespionage Group Targeting Foreign Embassies

ESET Research has recently brought to light a new cyberespionage player known as MoustachedBouncer. This group, named after its origins in Belarus, has displayed affiliations with the local government's interests, particularly during the ongoing Russian incursion into Ukraine. Active since 2014, MoustachedBouncer has honed its focus exclusively on foreign embassies located within Belarus, including those from European nations. Recent evidence suggests that the group has elevated its tactics by implementing adversary-in-the-middle (AitM) attacks at the Internet Service Provider (ISP) level within Belarus, effectively infiltrating its chosen targets.

Dividing its operations into two distinctive toolsets, ESET has coined them as NightClub and Disco. These tools have been wielded by MoustachedBouncer to perform its espionage endeavors. This revelation was made public at the Black Hat USA 2023 conference by ESET researcher Matthieu Faou.

According to ESET's analysis, MoustachedBouncer has directed its efforts towards foreign embassies situated within Belarus. The group's primary focus has been embassies from Europe, South Asia, and Africa. ESET's evaluation leads to the conclusion that MoustachedBouncer likely aligns with Belarus' interests and specializes in espionage directed at foreign embassies. The group has demonstrated a mastery of advanced communication techniques, including network interception at the ISP level, email communication for one implant, and DNS manipulation for another.

Although MoustachedBouncer operates as an independent entity, ESET's investigation has uncovered potential connections to another active espionage group called Winter Vivern. This group has recently targeted government personnel across various European countries.

Matthieu Faou, the ESET researcher who unearthed this new threat group, explained their modus operandi. "To compromise their targets, MoustachedBouncer operators tamper with their victims' internet access, probably at the ISP level, to make Windows believe it's behind a captive portal." Faou continued, highlighting similarities with other threat actors who've trojanized software installers through similar techniques.

Faou also emphasized the significance of end-to-end encrypted VPNs for organizations in nations where internet integrity is questionable. He recommended employing such solutions to protect internet traffic from inspection and interception devices. Additionally, Faou advised organizations to maintain up-to-date security software to counter such threats effectively.

The NightClub implant, utilized by MoustachedBouncer, leverages free email services like and for data exfiltration. ESET's analysis indicates that the group might be using its own email accounts rather than compromising legitimate ones.

This discovery underscores the evolving landscape of cyberespionage, with MoustachedBouncer employing increasingly sophisticated techniques to achieve its aims. As such groups continue to adapt and enhance their tactics, the importance of robust cybersecurity measures becomes more apparent than ever.



bottom of page