- LongNosedGoblin is a newly discovered China-aligned Advanced Persistent Threat (APT) group targeting governmental entities in Southeast Asia and Japan, with the goal of cyberespionage.
- This APT group uses Group Policy to deploy malware across the compromised network, and cloud services (e.g., Microsoft OneDrive and Google Drive) as C&C.
- One of the group’s tools, NosyHistorian, is used to gather browser history and decide where to deploy further malware, such as the NosyDoor backdoor.
- NosyDoor is most likely being shared by multiple China-aligned threat actors.
BRATISLAVA, Slovakia, Dec. 18, 2025 (GLOBE NEWSWIRE) — ESET Research has discovered a new China-aligned APT group, LongNosedGoblin, that abuses Group Policy – a mechanism for managing settings and permissions on Windows machines, typically used with Active Directory – to deploy malware and move laterally across the compromised network. It is used to deploy cyberespionage tools across networks of governmental institutions in Southeast Asia and Japan. In 2024, ESET researchers noticed previously undocumented malware in the network of a Southeast Asian governmental entity. However, the group has been active since at least since September 2023. As of this September, ESET began observing renewed activity by the group in the region. It deploys malware across the compromised network, and cloud services (e.g., Microsoft OneDrive and Google Drive) for Command & Control (C&C).
LongNosedGoblin has several tools in its arsenal. NosyHistorian is a C#/.NET application that the group uses to collect browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox, which is then used to determine where to deploy further malware. NosyDoor collects metadata about the victim’s machine, including the machine name, username, the OS version, and the name of the current process, and sends it all to the C&C. It then retrieves and parses task files with commands from the C&C. The commands allow it to exfiltrate files, delete files, and execute shell commands, among other things.
NosyStealer is used to steal browser data from Microsoft Edge and Google Chrome. NosyDownloader executes a chain of obfuscated commands, and downloads and runs a payload in memory. Among other tools used by LongNosedGoblin, ESET identified a C#/.NET keylogger NosyLogger, which seems to be a modified version of the open-source keylogger DuckSharp. Among other tools used by the group is a reverse SOCKS5 proxy, and an argument runner (a tool that runs an application passed as an argument) that was used to run a video recorder, likely FFmpeg, to capture audio and video.
“We later identified another instance of a NosyDoor variant targeting an organization in an EU country, once again employing different techniques, and using the Yandex Disk cloud service as a C&C server. The use of this NosyDoor variant suggests that the malware may be shared among multiple China-aligned threat groups,” says ESET researcher Anton Cherepanov, who investigated LongNosedGoblin with fellow ESET researcher Peter Strýček.
For a more detailed analysis of LongNosedGoblin’s arsenal, check out the latest ESET Research blogpost “LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.
About ESET
ESET® provides cutting-edge cybersecurity to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown— securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit http://www.eset.com or follow our social media, podcasts and blogs.
