MoustachedBouncer APT Spies on Embassies, Likely via ISPs

Diplomats who didnt use VPNs may have lost sensitive state information to a Belarusian threat actor that wields the Disco and Nightclub malware.

BLACK HAT USA – Las Vegas – Thursday, Aug. 10 —
A Belarus-linked APT spied on staff in at least four embassies operating in the country, likely by leveraging the countrys local Internet service provider (ISP).
In
a Thursday presentation at Black Hat
, ESET senior malware researcher Matthieu Faou will describe an espionage campaign by MoustachedBouncer, a previously unknown yet nearly decade-old APT aligned with the interests of the government of Belarus. From 2017 to 2022, using bespoke infostealer malware, the group successfully compromised diplomats from one southeast Asian country, one African country, and two European countries.
The exact method of intrusion isnt yet proven. MoustachedBouncer may have infected routers at the individual embassies, but ESET assessed that it more likely took advantage of lawful communications interception technology known to be used by the governments of Belarus and Russia at the ISP level.
In most Western countries there are privacy laws, but when you go to countries like Belarus, you should really be careful, Faou advises for organizations of all kinds, not only government agencies. You should not let traffic go outside of your computer without a VPN.
Five years ago, ESET described an espionage campaign in which
the Russian APT Turla
sewed its data-stealing malware
inside of a trojanized Adobe Flash installer
. The precise method of getting that malware to its targets wasnt entirely clear, but the researchers speculated that the group might have been manipulating HTTP requests at the ISP level.
This, they believe, is the same level at which MoustachedBouncer is operating.
Since 1995, the Russian government has been able to spy on Internet and phone networks through its
System for Operative Investigative Activities (SORM)
. According to Amnesty International, all telecommunications providers in Belarus are SORM-compatible, as well. The SORM system allows the authorities direct, remote-control access to all user communications and associated data without notifying the provider, the nonprofit
explained in a 2021 report
.
Therefore, the researchers wrote, while the compromise of routers in order to conduct AitM [attacks in the middle] on embassy networks cannot be fully discarded, the presence of lawful interception capabilities in Belarus suggests the traffic mangling is happening at the ISP level rather than on the targets routers.
Whether it used ISP or router compromise, MoustachedBouncer directed targeted computers to a fake Windows Update page. Its quite efficient, because this fake Windows page comes up as soon as they start the computer. They have nothing to do except download the malware, Faou tells Dark Reading.
The malware, Disco, is a modular framework capable of taking screenshots, running PowerShell scripts, and exfiltrating data from the targeted machine.
This method didnt work for targets that filtered their traffic through VPNs, however. In those cases, MoustachedBouncer deployed Nightclub, another modular malware with the ability to monitor and exfiltrate files, as well as take screenshots, log keystrokes, and record audio. The entirety of its command-and-control communications occurs over email, via the SMTP and IMAP protocols. Its unclear how Nightclub was delivered to targets.
Disco was created in accordance with the embassy attacks, but Nightclub was first built in 2014 (and iterated on three times since). Exactly how the group flew under the radar for nearly a decade comes down to a couple of factors, Faou says.
First, theyre not compromising many victims — we only see a few targets per year, he points out.
And on a technical level, he adds, Id say its a quite sophisticated campaign. Its not something that were seeing very often.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
MoustachedBouncer APT Spies on Embassies, Likely via ISPs