Disco
Disco is a malware framework used by the cyberespionage group MoustachedBouncer in parallel with its NightClub toolset starting in 2020. ESET reported that MoustachedBouncer has targeted foreign embassies in Belarus and likely conducts ISP-level adversary-in-the-middle operations to redirect Windows captive portal checks to attacker-controlled infrastructure. In the observed delivery chain, victims were presented with a fake Windows Update page at updates.microsoft[.]com over unencrypted HTTP and induced to download malicious .zip and .msi-style installer content, including MicrosoftUpdate845255.zip containing MicrosoftUpdate845255.exe, a Go-based Disco dropper (SHA-1: E65EB4467DDB1C99B09AE87BA0A964C36BAB4C30). ESET also observed a related C# dropper, SharpDisco (SHA-1: A3AE82B19FEE2756D6354E85A094F1A4598314AB), downloaded as EdgeUpdate.exe.
Disco establishes persistence by creating scheduled tasks that can run every minute. One observed task executed \35.214.56[.]2\OfficeBroker\OfficeBroker.exe every minute. SharpDisco similarly created scheduled tasks implementing SMB-based reverse shells using paths such as \24.9.51[.]94\EDGEUPDATE\EDGEAIN/EDGEAOUT and EDGEBIN/EDGEBOUT. Additional SMB servers observed in this ecosystem included \209.19.37[.]184, \38.9.8[.]78, and \59.6.8[.]25. Disco also performed DNS queries for windows.system.update[.]com, and SharpDisco queried edgeupdate-security-windows[.]com, which ESET assessed as likely compromise beacons or success signals.
Capabilities directly described for Disco include screenshot capture, PowerShell execution, a reverse proxy inspired by revsocks, and a local privilege escalation exploit leveraging CVE-2021-1732. Disco plugins use SMB shares for both staging and data exfiltration, reducing dependence on internet-reachable command-and-control infrastructure. High-confidence infrastructure and delivery indicators mentioned in the reporting include updates.microsoft[.]com, jdrop.js, MicrosoftUpdate845255.zip, 5.45.121[.]106, windows.system.update[.]com, and the SMB paths and IPs above.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Starting in 2020, the group has been using, in parallel, a second malware framework we have named Disco.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Starting in 2020, the group has been using, in parallel, a second malware framework we have named Disco.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueExecution
4 techniques“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
Examples include: "Sandworm Team leveraged Microsoft Office attachments which contained malicious macros..."; "Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs"; "Lumma Stealer has gained initial execution through victims opening malicious executable files embedded in zip archives, and MSI files within RAR files."
Persistence
2 techniques“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
Privilege Escalation
2 techniques“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
Lateral Movement
1 technique“Disco can download files to targeted systems via SMB.”; “APT3 has a tool that can copy files to remote machines.”; “cmd can be used to copy files to/from a remotely connected external system.”
Command and Control
3 techniquesRecent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Espionage implant/toolset (notably Go/.NET components) delivered via ISP-level adversary-in-the-middle redirection to a fake Windows Update site. Establishes persistence via scheduled tasks and pulls additional payloads/plugins over SMB shares that are themselves intercepted/injected via AitM. Plugins include screenshotting, PowerShell execution, reverse proxying, and privilege escalation support.
Backdoor that persists by creating a scheduled task running every minute.
Malware executed through malicious ZIP and MSI files requiring user interaction.
Disco has been executed through inducing user interaction with malicious .zip and .msi files.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.