ESET Research calls out the emergence of a new Advanced Persistent Threat (APT) group named LongNosedGoblin, believed to be aligned with Chinese interests, that has been actively targeting governmental bodies in Southeast Asia and Japan.
ESET researchers initially identified previously undocumented malware within the system of a Southeast Asian governmental entity in 2024. Since then, further investigations have linked these malicious activities to LongNosedGoblin which has reportedly been operational since at least September 2023.
The group's tactics involve the use of Group Policy—a feature in Windows that manages settings across networks—to deploy malware and facilitate lateral movement within compromised systems.
This discovery highlights the growing sophistication of cyberespionage efforts in the region, as this group employs various techniques to infiltrate and exploit networks.
One of the key tools used by LongNosedGoblin is NosyHistorian, a C#/.NET application designed to collect browser history from widely used web browsers such as Google Chrome and Mozilla Firefox.
This data is utilised to inform the group on where to deploy additional malware, including the NosyDoor backdoor, which collects vital metadata from infected machines and communicates with cloud-based Command & Control (C&C) servers, such as Microsoft OneDrive and Google Drive.
ESET's findings indicate that LongNosedGoblin employs a range of sophisticated tools, including NosyStealer, which siphons browser data, and NosyDownloader, which executes obfuscated commands to download malicious payloads. Notably, the group also utilises a keylogger named NosyLogger, likely a modified version of the open-source keylogger DuckSharp, to capture keystrokes discreetly.
Researchers also observed a variant of NosyDoor targeting an organisation in an EU country, deploying different techniques, which suggests that this malware may be shared among various China-aligned threat actors. This underscores a concerning pattern of cross-collaboration among cybercriminals.
ESET researcher Anton Cherepanov said te identification of LongNosedGoblin and its arsenal signifies an evolving threat landscape that demands heightened awareness from governmental institutions and cybersecurity professionals alike.
