ESET Research has discovered a new China-aligned APT group, LongNosedGoblin, that abuses Group Policy – a mechanism for managing settings and permissions on Windows machines, typically used with Active Directory – to deploy malware and move laterally across the compromised network. It is used to deploy cyberespionage tools across networks of governmental institutions in Southeast Asia and Japan. In 2024, ESET researchers noticed previously undocumented malware in the network of a Southeast Asian governmental entity. However, the group has been active since at least since September 2023. As of this September, ESET began observing renewed activity by the group in the region. It deploys malware across the compromised network, and cloud services (e.g., Microsoft OneDrive and Google Drive) for Command & Control (C&C).
LongNosedGoblin has several tools in its arsenal. NosyHistorian is a C#/.NET application that the group uses to collect browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox, which is then used to determine where to deploy further malware. NosyDoor collects metadata about the victim’s machine, including the machine name, username, the OS version, and the name of the current process, and sends it all to the C&C. It then retrieves and parses task files with commands from the C&C. The commands allow it to exfiltrate files, delete files, and execute shell commands, among other things.
NosyStealer is used to steal browser data from Microsoft Edge and Google Chrome. NosyDownloader executes a chain of obfuscated commands, and downloads and runs a payload in memory. Among other tools used by LongNosedGoblin, ESET identified a C#/.NET keylogger NosyLogger, which seems to be a modified version of the open-source keylogger DuckSharp. Among other tools used by the group is a reverse SOCKS5 proxy, and an argument runner (a tool that runs an application passed as an argument) that was used to run a video recorder, likely FFmpeg, to capture audio and video.
For a more detailed analysis of LongNosedGoblin’s arsenal, check out the latest ESET Research blogpost “LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan” on WeLiveSecurity.com.
Related
This entry was posted on December 18, 2025 at 12:00 pm and is filed under Commentary with tags ESET. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
New Chinese group LongNosedGoblin deploys cyberespionage tools in Southeast Asia and Japan: ESET
ESET Research has discovered a new China-aligned APT group, LongNosedGoblin, that abuses Group Policy – a mechanism for managing settings and permissions on Windows machines, typically used with Active Directory – to deploy malware and move laterally across the compromised network. It is used to deploy cyberespionage tools across networks of governmental institutions in Southeast Asia and Japan. In 2024, ESET researchers noticed previously undocumented malware in the network of a Southeast Asian governmental entity. However, the group has been active since at least since September 2023. As of this September, ESET began observing renewed activity by the group in the region. It deploys malware across the compromised network, and cloud services (e.g., Microsoft OneDrive and Google Drive) for Command & Control (C&C).
LongNosedGoblin has several tools in its arsenal. NosyHistorian is a C#/.NET application that the group uses to collect browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox, which is then used to determine where to deploy further malware. NosyDoor collects metadata about the victim’s machine, including the machine name, username, the OS version, and the name of the current process, and sends it all to the C&C. It then retrieves and parses task files with commands from the C&C. The commands allow it to exfiltrate files, delete files, and execute shell commands, among other things.
NosyStealer is used to steal browser data from Microsoft Edge and Google Chrome. NosyDownloader executes a chain of obfuscated commands, and downloads and runs a payload in memory. Among other tools used by LongNosedGoblin, ESET identified a C#/.NET keylogger NosyLogger, which seems to be a modified version of the open-source keylogger DuckSharp. Among other tools used by the group is a reverse SOCKS5 proxy, and an argument runner (a tool that runs an application passed as an argument) that was used to run a video recorder, likely FFmpeg, to capture audio and video.
For a more detailed analysis of LongNosedGoblin’s arsenal, check out the latest ESET Research blogpost “LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan” on WeLiveSecurity.com.
Share this:
Like this:
Related
This entry was posted on December 18, 2025 at 12:00 pm and is filed under Commentary with tags ESET. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.