G1019 MoustachedBouncer
MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.1
| Item | Value |
|---|---|
| ID | G1019 |
| Associated Names | |
| Version | 1.0 |
| Created | 25 September 2023 |
| Last Modified | 16 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | MoustachedBouncer has used plugins to execute PowerShell scripts.1 |
| enterprise | T1059.007 | JavaScript | MoustachedBouncer has used JavaScript to deliver malware hosted on HTML pages.1 |
| enterprise | T1659 | Content Injection | MoustachedBouncer has injected content into DNS, HTTP, and SMB replies to redirect specifically-targeted victims to a fake Windows Update page to download malware.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.002 | Remote Data Staging | MoustachedBouncer has used plugins to save captured screenshots to .\AActdata\ on an SMB share.1 |
| enterprise | T1068 | Exploitation for Privilege Escalation | MoustachedBouncer has exploited CVE-2021-1732 to execute malware components with elevated rights.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | MoustachedBouncer has used malware plugins packed with Themida.1 |
| enterprise | T1090 | Proxy | MoustachedBouncer has used a reverse proxy tool similar to the GitHub repository revsocks.1 |
| enterprise | T1113 | Screen Capture | MoustachedBouncer has used plugins to take screenshots on targeted systems.1 |
| mobile | T1655 | Masquerading | - |
| mobile | T1655.001 | Match Legitimate Name or Location | MoustachedBouncer has used legitimate looking filenames for malicious executables including MicrosoftUpdate845255.exe.1 |