MoustachedBouncer, the Espionage Group that Specialises in Embassies

With the ability to manipulate ISP-level traffic, it targets diplomats in Belarus.

ESET Research warns about the actions of cyber-espionage group MoustachedBouncer, which operates in Belarus aligned with government interests.

Active since at least 2014, it targets foreign embassies in the country. Security experts have identified two attacks on Europe, one on Asia, and one on Africa. Since 2020, MoustachedBouncer has been using AitM (adversary-in-the-middle) attacks at the ISP level to redirect captive portal checks to a command-and-control server.

It employs two separate toolkits dubbed Disco and NightClub by ESET. The former intervenes in AitM attacks, while the latter comes into play when traffic interception at the ISP level is not possible. NightClub relies on email services such as and to filter data.

“In the IP ranges targeted by MoustachedBouncer, network traffic is redirected to a seemingly legitimate but in reality fake Windows Update page,” details Matthieu Faou, the ESET researcher who discovered the threat.

“The AitM scenario reminds us of threat actors Turla and StrongPity, which have trojanised software installers on the fly at the ISP level,” he notes. “While the compromise of routers to carry out AitM attacks on embassy networks cannot be completely ruled out, the presence of lawful interception capabilities in Belarus suggests that traffic manipulation is occurring at the ISP level rather than on the targets’ routers.”

MoustachedBouncer monitors disk drives and steals files. Its spying capabilities include screen captures, audio recording, and keystroke logging.

Researchers suspect that these attackers may be collaborating with the Winter Vivern espionage group, which has targeted government personnel in countries such as Poland and Ukraine.

“Organisations in foreign countries where the internet cannot be trusted should use an end-to-end encrypted VPN tunnel to a trusted location for all their internet traffic to bypass any network inspection devices,” Faou advises. “They should also use up-to-date, high-quality IT security solutions.”