In 2024, ESET researchers noticed previously undocumented malware in the network of a Southeast Asian governmental entity. This led us to uncover even more new malware on the same system, none of which had substantial ties to any previously tracked threat actors. Based on our findings, we decided to attribute the malicious tools to a new China-aligned APT group that we have named LongNosedGoblin.
The group employs a varied custom toolset consisting mainly of C#/.NET applications, and, notably, uses Group Policy to deploy its malware and move laterally across the systems of targeted entities. This blogpost details our discovery of LongNosedGoblin, goes over its known campaigns, and dives into the toolset of the group.
Key points of the report:
- LongNosedGoblin is a newly discovered China-aligned APT group targeting governmental entities in Southeast Asia and Japan, with the goal of cyberespionage.
- The group has been active since at least September 2023.
- LongNosedGoblin uses Group Policy to deploy malware across the compromised network, and cloud services (e.g., Microsoft OneDrive and Google Drive) as command and control (C&C) servers.
- One of the group’s tools, NosyHistorian, is used to gather browser history and decide where to deploy further malware, such as the NosyDoor backdoor.
- NosyDoor is most likely being shared by multiple China-aligned threat actors.
- We provide a detailed analysis of NosyHistorian, NosyDoor, NosyStealer, NosyDownloader, NosyLogger, and other tools used by LongNosedGoblin.
Smells like trouble: Introducing LongNosedGoblin
LongNosedGoblin is a China-aligned APT group that targets governmental entities in Southeast Asia and Japan, with the goal of conducting cyberespionage. As we already mentioned: in its campaigns, LongNosedGoblin abuses Group Policy – a mechanism for managing settings and permissions on Windows machines, typically used with Active Directory – to deploy malware and move laterally across the compromised network.
One of the main tools in its arsenal is NosyHistorian, a C#/.NET application that the group uses to collect browser history, which is then used to determine where to deploy further malware. This includes another major LongNosedGoblin tool, a backdoor that we named NosyDoor, which, in campaigns we observed, used Microsoft OneDrive as its C&C server. NosyDoor also employs living-off-the-land techniques in its execution chain, namely AppDomainManager injection. Finally, several of the group’s tools can bypass the Antimalware Scan Interface (AMSI), which enables antimalware products to scan various scripts before execution.
Discovery
In February 2024, we found unknown malware on a system of a governmental entity in Southeast Asia. The malware was used to drop a custom backdoor, which we later named NosyDoor. At the same time, we noticed that the compromise involved not just one, but multiple machines from the same entity, with the malware having been deployed via Group Policy.
Additional analysis revealed that the same victims were also afflicted with a different malicious tool distributed via Group Policy, this one used for collecting browser history. We named the tool NosyHistorian. While we found many victims affected by NosyHistorian in the course of our original investigation between January and March 2024, only a small subset of them were compromised by NosyDoor. Some samples of NosyDoor’s dropper even contained execution guardrails to limit operation to specific victims’ machines.
Later, we identified even more unknown malware on the victims’ machines: NosyStealer, which exfiltrates browser data; NosyDownloader, which downloads and runs a payload in memory; NosyLogger, a keylogger; other tools like a reverse SOCKS5 proxy; and an argument runner (a tool that runs an application passed as an argument) that was used to run a video recorder, likely FFmpeg, to capture audio and video. The downloader was first recorded in our telemetry as far back as September 2023.
Attribution
Due to the unique toolset, alongside the use of Group Policy for lateral movement, we decided to attribute the attacks to a new China-aligned APT group, and named it LongNosedGoblin. We noticed some overlap in the file paths mentioned in a Kaspersky blogpost about ToddyCat activity, an APT group with similar targeting, but the malware in that report lacks code similarity with the malware considered here.
It should also be noted that in June 2025, the Russian cybersecurity company Solar published a blogpost on an APT group it refers to as Erudite Mogwai, which used a payload that closely resembles LongNosedGoblin’s NosyDoor. According to the authors, Erudite Mogwai targeted the IT infrastructure of a Russian government organization and Russian IT companies, using the LuckyStrike Agent backdoor in its operations.
However, we cannot confirm that Erudite Mogwai and LongNosedGoblin are one and the same, as there is a definite difference in TTPs between the two groups. Notably, the Erudite Mogwai research does not mention the abuse of Active Directory Group Policy for malware deployment – a technique that is quite specific to LongNosedGoblin’s operations.
We later identified another instance of a NosyDoor variant targeting an organization in an EU country, once again employing different TTPs, and using the Yandex Disk cloud service as a C&C server. The use of this NosyDoor variant suggests that the malware may be shared among multiple China-aligned threat groups. This is further corroborated by Solar’s observation of the word Paid in the PDB path of NosyDoor, suggesting that the malware may be commercially provided as a service – potentially indicating it is being sold or licensed to other threat actors.
Later campaigns
Throughout 2024, LongNosedGoblin was actively deploying NosyDownloader in Southeast Asia. In December of the same year, we detected an updated version of NosyHistorian in Japan, but then observed no subsequent activity.
In September 2025, we began seeing renewed activity of the group in Southeast Asia. As in previous campaigns, the threat actor leveraged Group Policy to deliver NosyHistorian to targeted machines.
During this wave of attacks, we noticed behavior consistent with Cobalt Strike usage: a loader named oci.dll was downloaded on a single machine, with a payload named ocapi.edb loaded from disk.
The LongNosedGoblin successfully deployed the potential Cobalt Strike loader to selected machines via Group Policy. Furthermore, another component, mscorsvc.dll, was downloaded and its payload stored in conf.ini. This loader was also distributed to victims’ machines using Group Policy, following the same delivery method as oci.dll.
Exploring LongNosedGoblin’s toolset:
NosyHistorian:
NosyHistorian, a C#/.NET application with the internal name GetBrowserHistory, collects browser history to gain insights about compromised infrastructure. Deployed via Group Policy under the filename History.ini, it appears as an INI file but is actually a portable executable (PE) file. The tool retrieves browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox and uploads the data to a specific SMB share within the organization’s network.
NosyDoor:
The NosyDoor backdoor utilizes cloud services like Microsoft OneDrive for its C&C server. It executes in three stages, involving a dropper, AppDomainManager injection technique, and the backdoor itself. NosyDoor gathers machine metadata and executes commands received from the C&C server, allowing tasks like file exfiltration and shell command execution.
In the first stage, the dropper, named OneClickOperation, is deployed via Group Policy and masquerades as a Registry Policy file. It decodes embedded files, decrypts them using DES, and drops them to a directory to blend in with existing files. The dropper also creates a Windows scheduled task to execute a legitimate file during system startup.
In the second stage, AppDomainManager injection technique is used to load malicious code via a configuration file, bypassing AMSI with code from the inceptor framework within SharedReg.dll. In addition to that, the file `netfxsbs9.hkf` is decoded from base64, decrypted using AES with the key `UevAppMonitor`, padded with null bytes to a length of 16, with an initialization vector of `0`, and then decoded from base64 again. The resulting file is `NosyDoor`, which is subsequently executed. Any encountered errors are logged to the file `error.txt` located in the `C:\Windows\Microsoft.NET\Framework` directory.
**NosyDoor Stage 3 – payload**
The third stage of NosyDoor, known as the main payload, is a C#/.NET backdoor named `OneDrive` with the PDB path `E:\Csharp\Thomas\Server\ThomasOneDrive\obj\Release\OneDrive.pdb`. As implied by its name, this backdoor utilizes cloud services, specifically Microsoft OneDrive, as a command and control (C&C) server.
The backdoor collects a comprehensive set of metadata, including the external IPv4 address, local IPv4 address, agent ID, username, machine name, current directory, current process details (name, ID, architecture), stage 3 local start time, current local time, OS version, `CodeType` (refer to Table 3), and `AgentType` (refer to Table 3).
All the collected metadata is encrypted using RSA and then uploaded to OneDrive as a file named `Read_
Each task file contains an encrypted command, encapsulated with values from the backdoor’s configuration. The command is decoded from base64 and decrypted using AES with the key `
Following command execution, NosyDoor encrypts the command output using AES, encodes it with base64, and encapsulates it with specific strings. The results are stored on the C&C server in files named based on local time (Unix timestamp multiplied by 100,000) and ending with the `.max` extension.
In case of an exception during operation, the backdoor logs the exception message along with the local time to `C:\Users\Public\Libraries\thomas.log`.
Additionally, the backdoor includes a custom dependency called `Library`, embedded as a resource using `Costura`. This dependency contains code related to command processing, Microsoft OneDrive communication, and various helper methods, while the main binary handles the beaconing loop and reads a configuration file utilizing the library.
The configuration data is stored in the encrypted file `log.cached`. NosyDoor decrypts this configuration by XORing it with the key `SecretKey`, decoding it from base64, and then decrypting it using AES with the key `Thomas`, padded with null bytes to a length of 16 and an IV of `0`. The configuration detailed above can be visualized in Figure 4. This time, the extracted binary is a Go application designed to steal browser data from Microsoft Edge and Google Chrome. It retrieves a file named config from Google Docs containing a victim’s ID. NosyStealer then reads and archives the browser data, encrypting it with a custom cipher before exfiltrating it to Google Drive. The JSON-formatted configuration embedded in the binary allows access to Google Drive and Google Docs.
NosyStealer also logs errors and status messages to a Google Docs file named log, including information from multiple victims. The status message includes the constant 9, possibly indicating the NosyStealer version. The full status message format includes the victim’s local IPv4 addresses.
Additionally, analyzing ESET telemetry data revealed NosyDownloader, a downloader patched with malicious code found in networks compromised by LongNosedGoblin. This downloader executes obfuscated commands through PowerShell processes, bypassing AMSI in multiple stages.
Another tool, NosyLogger, is a C#/.NET keylogger based on the open-source keylogger DuckSharp. It encrypts and stores window names, keystrokes, and clipboard content in memory, appending them to a file every 10 seconds.
LongNosedGoblin also deploys other tools like ReverseSocks5, a reverse SOCKS5 proxy written in Go, and an argument runner that executes applications like FFmpeg for screen recording.
In conclusion, LongNosedGoblin is a China-aligned APT group targeting governmental entities in Southeast Asia and Japan. Their custom malware and use of Group Policy for lateral movement indicate sophisticated cyberespionage tactics. Rewrite the sentence. sentence to correct the grammar:
Incorrect: She don’t want to go to the movies tonight.
Correct: She doesn’t want to go to the movies tonight. sentence in a different way. sentence in your own words.
Rewrite the sentence in a way that conveys the same meaning but uses different phrasing. Rewrite the following sentence:
Original: The cat chased the mouse around the house.
Rewritten: The mouse was chased around the house by the cat.
