Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ MoustachedBouncer

🌐MoustachedBouncer

🌐 MoustachedBouncer is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 8 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1019) ↗
14Use cases
0Articles
8Techniques
0IOCs

About this actor (MITRE)

[MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)

Known aliases

MoustachedBouncer

Top techniques

T1027.002 · Software PackingT1059.001 · PowerShellT1059.007 · JavaScript

All other tracked techniques

T1068 · Exploitation for Privilege EscalationT1074.002 · Remote Data StagingT1090 · ProxyT1113 · Screen CaptureT1659 · Content Injection

Detection use cases (14)

MoustachedBouncer fake Windows/Java Update dropped via ISP HTTP content-injection AI · profile S MoustachedBouncer Disco SMB-share staging & internal proxy (T1074.002 + T1090) AI · profile S Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modules MITRE match Package Manager Install Hook Spawns Scripting Interpreter Then Touches Credential Files or Egresses Off-Registry MITRE match Package-manager child process credential fan-out with public egress (Mini Shai-Hulud / TeamPCP worm chain) MITRE match Package-manager install hook spawns interpreter that beacons to non-registry host within 120s MITRE match Post-Auth Privilege Boundary Crossing on Edge/Management Appliances (low-priv -> admin within 10m) MITRE match Public-Facing App Runtime Spawns Shell, LOLBin, or Container-Control Tool MITRE match