Hacking group MoustachedBouncer, allegedly supported by the Belarusian government, has been targeting foreign diplomates from Europe, South Asia, and Africa for nearly ten years.
Security researchers from EEST Research published a detailed analysis of the group’s activities and hacking mechanisms. According to researchers, the group has been active since 2014 and only targets diplomats posted in Belarus. The group’s main weapon is performing adversary-in-the-middle (AitM) attacks at the ISP level.
The researchers also warn that MoustachedBouncer may have already been colluding with another group, Winter Vivern, which became active in 2021.
MoustachedBouncer uses two toolsets which the researchers have named NightClub and Disco. The group tampers with their victims’ internet access at the ISP level and tricks the victim’s Windows 10 operating system into believing it is behind a captive portal.

For IP ranges targeted by MoustachedBouncer, the network traffic is manipulated by the ISP to redirect the victim to a deceptive but authentic-looking Windows Update URL: http://updates.microsoft[.]com/
. This leads the victim to a counterfeit Windows Update page displaying urgent notifications about critical system security updates.
On the fake update page, the victim is presented with a button named “Get updates.” When clicked, JavaScript code is executed that initiates the download of a malicious file. The AitM technique used by MoustachedBouncer is reminiscent of tactics employed by other threat actors like Turla and StrongPity. These actors have historically trojanised software installers on the fly at the ISP level, similar to the approach taken by MoustachedBouncer.
The research highlights a potential collaboration between MoustachedBouncer and Belarusian ISPs, allowing the group to exploit a legal intercept system reminiscent of Russia’s SORM. Amnesty International’s 2016 report revealed that Belarus mandates all telecom providers to facilitate compatibility with the SORM system.

“The operators were trained to find some confidential documents, but we’re not sure exactly what they were looking for,” ESET researcher Matthieu Faou told TechCrunch. “They are operating only inside Belarus against foreign diplomats. So we have never seen any attack by MustachedBouncer outside of Belarus.”
ESET’s investigation began in February 2022, with the group detecting a cyberattack on diplomats in a European embassy—although the country involved remains undisclosed. By analyzing the malware, researchers unveiled a trail of attacks dating back to 2014, indicating the hackers’ success in evading scrutiny.
The group’s meticulous approach enabled them to fly under the radar for so long while successfully compromising high-profile targets like diplomats.
The ESET report raises concerns about the level of surveillance and state-sponsored hacking operations within Belarus, highlighting the broader implications of such activities for international relations and cybersecurity.
In the News: Disney hikes prices; plans to crackdown on password sharing in 24′