A previously undocumented China-aligned threat cluster, tracked as LongNosedGoblin, has been linked to a series of cyber espionage operations targeting government organizations in Southeast Asia and Japan. The activity, uncovered by Slovak cybersecurity firm ESET, has been assessed to be active since at least September 2023, with intelligence collection identified as the primary objective.
According to researchers Anton Cherepanov and Peter Strýček, the group abuses Windows Group Policy to distribute malware across compromised networks. In addition, LongNosedGoblin relies on popular cloud services such as Microsoft OneDrive and Google Drive to function as command and control infrastructure. Group Policy, a Windows feature described by Microsoft, allows administrators to centrally manage configurations and permissions for users and systems, making it an effective tool when misused by attackers.
ESET’s investigation shows that the attacks leverage a custom malware ecosystem, largely built using C# and .NET. Key components include NosyHistorian, designed to harvest browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox. Another tool, NosyDoor, acts as a backdoor that communicates via OneDrive and supports file exfiltration, deletion, and remote command execution. NosyStealer focuses on stealing browser data and uploading it to Google Drive in encrypted archive form, while NosyDownloader retrieves and executes additional payloads in memory, including NosyLogger, a modified keylogging tool based on DuckSharp.
The company first detected LongNosedGoblin activity in February 2024 within a Southeast Asian government network. Analysis revealed that Group Policy was used to push malware to multiple systems within the same organization. Although the initial access vector remains unknown, evidence suggests a selective infection strategy. While many victims were exposed to NosyHistorian between January and March 2024, only a limited subset received the more advanced NosyDoor backdoor, indicating targeted espionage operations.
Further findings show the use of execution guardrails within certain droppers, restricting malware execution to specific victim machines. Additional tools observed include a reverse SOCKS5 proxy, audio and video capture utilities, and a loader for Cobalt Strike.
ESET noted limited overlaps between LongNosedGoblin and other China-aligned clusters such as ToddyCat and Erudite Mogwai, but emphasized that no definitive attribution links exist. However, similarities between NosyDoor and the LuckyStrike Agent, along with references suggesting a “Paid Version,” raise the possibility that some malware components may be shared or commercialized among multiple threat actors. A separate incident involving a NosyDoor variant targeting an organization in the European Union and using Yandex Disk for command and control further supports this assessment.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
