Threat Intelligence Tarot
Vol. II · 132
Belarus
risk 4/5
The Customs Officer
MoustachedBouncer
ESET tracked cluster
Foreign diplomats stationed in BelarusEmbassiesDiplomatic mission personnel
Active since ~2014 · Diplomatic surveillance, Adversary-in-the-middle intelligence collection
The Customs Officer waits at the gateway and waves you through with a smile — but stamps your passport with a tracker invisible to anyone but the state. You do not see the inspection; you only experience the consequences.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1557
Adversary-in-the-Middle
Collection
T1027
Obfuscated Files or Information
Defense Evasion
T1071.001
Web Protocols
Command and Control
T1090
Proxy
Command and Control
T1041
Exfiltration Over C2 Channel
Exfiltration
T1083
File and Directory Discovery
Discovery
Notable Operations
  • ESET public disclosure (August 2023)
  • ISP-level traffic redirection of Windows captive-portal checks
  • NightClub and Disco modular malware frameworks
  • Sustained targeting of diplomatic personnel inside Belarus
Defenses
  • Always-on VPN for diplomatic staff terminating outside host nation
    NIST CSF: PR.AC
  • Certificate pinning on critical applications
    OWASP MASVS
  • DNS-over-HTTPS to circumvent local DNS manipulation
    CIS Control 9
  • Travel laptop policies with full-disk encryption and pre-departure imaging
    NIST SP 800-46
Reversed: Their Weakness
Diplomatic mission VPNs that terminate outside the host country, plus certificate-pinning aware browsers and applications, deny this operator the trust position it needs.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Poisoned SpringNext →The Crowned Lock
Related Adversaries
The Poisoned Spring
PROMETHIUM
4 shared TTPs
The Many-Headed Whisper
DarkHydrus
4 shared TTPs
The Dusty Archivist
Earth Lusca
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.