China-Aligned Threat Group “LongNosedGoblin” Deploys Espionage Malware via Windows Group Policy

A newly identified China-aligned threat cluster, dubbed LongNosedGoblin, has been linked to cyber espionage campaigns targeting governmental entities in Southeast Asia, Japan, and parts of the EU.

Key Findings

• Active since: At least September 2023.
• Discovery: First detected by ESET in February 2024 on a Southeast Asian government system.
• Technique:
  • Uses Windows Group Policy to deploy malware across compromised networks.
  • Leverages cloud services (Microsoft OneDrive, Google Drive, Yandex Disk) as command-and-control (C&C) servers.
• Goal: Long-term cyber espionage — exfiltrating sensitive data, monitoring activity, and maintaining persistence.

Custom Toolset (C#/.NET Applications)

• NosyHistorian → Collects browser history (Chrome, Edge, Firefox).
• NosyDoor → Backdoor using OneDrive as C&C; can exfiltrate files, delete files, and run shell commands.
• NosyStealer → Exfiltrates browser data to Google Drive in encrypted TAR archives.
• NosyDownloader → Downloads and runs payloads in memory (e.g., NosyLogger).
• NosyLogger → Modified DuckSharp keylogger.
• Additional tools: Reverse SOCKS5 proxy, video/audio recorder, Cobalt Strike loader.

Attack Characteristics

• Targeted deployment: Only a subset of victims infected with NosyDoor, suggesting selective targeting.
• Execution guardrails: Droppers include victim-specific checks to avoid detection outside intended targets.
• Infrastructure overlap: Tradecraft shows similarities with ToddyCat and Erudite Mogwai, but no definitive attribution.
• Malware sharing: Evidence suggests NosyDoor variants may be licensed or shared among multiple China-aligned groups.

Recent Observations

• A NosyDoor variant was found targeting an EU organization, using Yandex Disk as C&C.
• Indicates adaptability and multi-group usage of the malware.

Defensive Recommendations

• Audit Group Policy: Monitor for unauthorized changes or unusual script deployments.
• Cloud service monitoring: Track suspicious OneDrive/Google Drive/Yandex Disk connections.
• Endpoint detection: Look for Nosy* toolset behaviors (encrypted TAR archives, AppDomainManager injection).
• Network monitoring: Detect reverse SOCKS5 proxies and anomalous outbound traffic.
• Threat hunting: Watch for overlaps with known APT tooling like Cobalt Strike.

Takeaway

LongNosedGoblin demonstrates how trusted enterprise mechanisms (Group Policy, cloud storage) can be weaponized for stealthy espionage. Its modular toolset and selective targeting highlight a sophisticated, persistent threat likely to remain active across multiple regions.