Inside LongNosedGoblin: APT spying on SEA and Japan

ESET researchers uncovered LongNosedGoblin, a China-aligned APT focused on government networks in Southeast Asia and Japan. Active since at least September 2023, the group blends custom .NET malware with Windows Group Policy to fan out across domains and uses popular cloud services for command and control.

Key highlights

• Targets: Government entities in Southeast Asia and Japan for cyberespionage
• Lateral movement: Abuse of Active Directory Group Policy to deploy malware at scale
• Cloud C2: Microsoft OneDrive, Google Docs and Drive, and in one variant Yandex Disk
• Tool sharing: NosyDoor likely used by multiple China-aligned actors
• Tradecraft: AppDomainManager injection, AMSI bypass, scheduled tasks, and selective execution guardrails

Core toolset and what each does

• NosyHistorian: C# tool that harvests Chrome, Edge, and Firefox history for all users and exfiltrates to an internal SMB share. Deployed via Group Policy and disguised as History.ini to blend in.
• NosyDoor: Three-stage .NET backdoor. Stage 1 dropper masquerades as Registry policy, sets a scheduled task, and copies UevAppMonitor.exe as a LOLBin. Stage 2 uses AppDomainManager injection and AMSI bypass to load the payload. Stage 3 contacts OneDrive, sends encrypted host metadata, and executes tasks such as shell commands, file upload and download, and directory browsing. Includes time-windowed operation and machine-name guardrails.
• NosyStealer: Four-stage chain that uses a DLL loader, Donut shellcode, AMSI patching, and scheduled tasks for persistence. Steals Chrome and Edge data, fetches a trigger from Google Docs, exfiltrates to Google Drive, and logs status back to Docs.
• NosyDownloader: Multi-stage PowerShell downloader embedded into patched legitimate binaries. Bypasses AMSI and fetches payloads in memory. Likely used to deploy a reverse SOCKS5 proxy, a keylogger, and an argument runner for screen and audio capture.
• NosyLogger: Modified C# keylogger with anti-debug checks. Encrypts keystrokes, window titles, and clipboard data locally with AES.
• Other utilities: ReverseSocks5 for covert tunneling and a simple runner used to launch FFmpeg for video and audio recording.

Campaign timeline and activity

• 2024: Initial discovery in a Southeast Asian government network; Group Policy used to deploy NosyHistorian and selectively NosyDoor
• December 2024: Updated NosyHistorian observed in Japan
• September 2025: Renewed activity in Southeast Asia; suspected Cobalt Strike loaders (oci.dll and mscorsvc.dll) pushed via Group Policy

Attribution notes

• ESET tracks this cluster as LongNosedGoblin based on a unique toolset and Group Policy abuse
• Overlaps in tooling suggest NosyDoor may be a shared or service-based backdoor used by multiple China-aligned actors
• Prior reporting on Erudite Mogwai and ToddyCat shows some surface similarities, but TTPs and code point to distinct activity

Why it matters for defenders

• Watch for suspicious Group Policy changes and tasks such as OneDrive Reporting Task
• Monitor misuse of UevAppMonitor.exe and unexpected binaries in Windows Microsoft.NET Framework paths
• Look for unusual SMB exfiltration inside the LAN and OAuth-based access to OneDrive or Google services
• Review scheduled tasks, hidden PowerShell activity, and AMSI tampering

IoCs and techniques

• ESET provides comprehensive IoCs in its repository. Notable techniques include AppDomainManager injection, AMSI bypass, scheduled task persistence, cloud service C2, and encrypted exfiltration.

Source: WeLiveSecurity