Security researchers at ESET have identified a previously undocumented advanced persistent threat group, named LongNosedGoblin, which has been conducting cyberespionage operations against government organizations in Southeast Asia and Japan since at least September 2023. The group came to light after ESET analysts discovered stealthy and previously undetected malware operating inside a Southeast Asian government network, revealing a sophisticated campaign centered on long term access, intelligence collection, and lateral movement within trusted enterprise environments.
The investigation began in February 2024 when analysts uncovered suspicious activity that led them to multiple compromised systems within the same government environment. Further analysis showed that the attackers had abused Active Directory Group Policy, a legitimate Windows network administration mechanism, to deploy malware and propagate across systems. This technique allowed the attackers to execute malicious payloads through trusted processes, significantly reducing the likelihood of detection. ESET researchers identified a collection of custom built tools developed mainly in C# and .NET, highlighting the technical maturity of the operation. Central to the toolset was NosyDoor, a custom backdoor that uses Microsoft OneDrive as its command and control infrastructure. By relying on a widely used cloud service, the attackers were able to blend malicious traffic with normal network activity.
NosyDoor operates through a multi stage execution chain designed for stealth and persistence. The process begins with a dropper masquerading as a Registry Policy file delivered through Group Policy. This is followed by an injection phase that abuses the legitimate Windows binary UevAppMonitor.exe via AppDomainManager manipulation, enabling the malware to load without raising alarms. The final stage deploys an encrypted payload that establishes long term access to the infected system. In addition to NosyDoor, ESET discovered NosyHistorian, a reconnaissance tool that collects browsing history from Chrome, Edge, and Firefox to assess which machines may hold intelligence value. This selective targeting demonstrates a deliberate approach focused on high value systems rather than broad infection.
The broader toolkit also includes NosyStealer, which exfiltrates browser data to Google Drive using official cloud APIs, further masking malicious activity as legitimate traffic. Another component, NosyDownloader, is a PowerShell based loader that runs entirely in memory and bypasses the Antimalware Scan Interface, reducing its forensic footprint. ESET also identified NosyLogger, a keylogging tool written in C# that records keystrokes and clipboard data, encrypting its output using AES to prevent easy analysis. Researchers noted that some variants of NosyDoor contain execution guardrails that restrict activation to specific machines, reinforcing the targeted nature of the campaign. The group consistently employs living off the land techniques, relying on legitimate binaries already present on Windows systems to avoid introducing suspicious files.
Based on code similarities, infrastructure overlaps, and victimology, ESET attributes LongNosedGoblin to China aligned threat actors. While analysts observed partial overlap with known clusters such as ToddyCat, the consistent abuse of Group Policy as a deployment vector sets LongNosedGoblin apart from previously documented groups. Throughout 2024, the attackers continued refining their operations, introducing additional loaders including oci.dll and mscorsvc.dll, which researchers believe may be linked to Cobalt Strike beacons distributed through Group Policy mechanisms. ESET’s findings underscore how trusted enterprise tools and popular cloud services can be repurposed for covert intelligence gathering. To assist defenders, the company has released indicators of compromise and malware samples through its public GitHub repository, enabling organizations to detect and mitigate related activity.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
