ESET Uncovers New China-Aligned APT Group LongNosedGoblin Targeting Southeast Asian and Japanese Governments
ESET researchers have discovered a previously undocumented China-aligned APT group, dubbed LongNosedGoblin, that has been conducting cyberespionage against governmental entities in Southeast Asia and Japan since at least September 2023, using Group Policy for lateral movement and cloud services for command and control.
ESET researchers have uncovered a new China-aligned advanced persistent threat (APT) group, which they have named LongNosedGoblin, that has been targeting governmental entities in Southeast Asia and Japan since at least September 2023. The group's primary objective is cyberespionage, and it employs a distinctive set of custom tools and techniques to infiltrate and move laterally within compromised networks.
LongNosedGoblin's most notable operational tactic is its abuse of Active Directory Group Policy to deploy malware and move laterally across systems. This approach allows the group to efficiently spread its malicious tools across multiple machines within a targeted organization. Additionally, the group leverages legitimate cloud services, including Microsoft OneDrive and Google Drive, as command and control (C2) servers, making its traffic blend in with normal business operations.
The group's toolset consists primarily of C#/.NET applications, with several key components identified by ESET. NosyHistorian is a browser history collector that helps the attackers determine where to deploy further malware. NosyDoor is a backdoor that uses AppDomainManager injection and can bypass the Antimalware Scan Interface (AMSI). Other tools include NosyStealer for exfiltrating browser data, NosyDownloader for in-memory payload execution, NosyLogger for keylogging, a reverse SOCKS5 proxy, and a tool to run FFmpeg for capturing audio and video.
ESET's discovery began in February 2024 when they found unknown malware on a system belonging to a Southeast Asian governmental entity. Further investigation revealed that the malware had been deployed via Group Policy across multiple machines. The researchers later identified additional victims and tools, with NosyDownloader first appearing in telemetry as far back as September 2023.
Attribution to a new China-aligned group was based on the unique toolset and the specific use of Group Policy for lateral movement. While ESET noted some overlap in file paths with the ToddyCat APT group, there was no code similarity. Interestingly, in June 2025, Russian cybersecurity company Solar published a report on a group called Erudite Mogwai that used a payload resembling NosyDoor, but ESET could not confirm they are the same due to differing TTPs, particularly the absence of Group Policy abuse in Erudite Mogwai's operations.
ESET also found evidence suggesting that NosyDoor may be shared among multiple China-aligned threat actors. A variant targeting an organization in an EU country used Yandex Disk as a C2 server, and a PDB path containing the word "Paid" in NosyDoor samples suggests the malware may be commercially available as a service, potentially sold or licensed to other groups.
Throughout 2024, LongNosedGoblin remained active, deploying NosyDownloader in Southeast Asia and an updated version of NosyHistorian in Japan in December 2024. The discovery of this new APT group highlights the ongoing and evolving threat posed by state-sponsored cyberespionage operations targeting government networks in the region.