Cybersecurity News and Headlines
  • All Technology
  • AI
  • Autonomy
  • B2B Growth
  • Big Data
  • BioTech
  • ClimateTech
  • Consumer Tech
  • Crypto
  • Cybersecurity
  • DevOps
  • Digital Marketing
  • Ecommerce
  • EdTech
  • Enterprise
  • FinTech
  • GovTech
  • Hardware
  • HealthTech
  • HRTech
  • LegalTech
  • Nanotech
  • PropTech
  • Quantum
  • Robotics
  • SaaS
  • SpaceTech
AllNewsDealsSocialBlogsVideosPodcastsDigests

Cybersecurity Pulse

EMAIL DIGESTS

Daily

Every morning

Weekly

Sunday recap

NewsDealsSocialBlogsVideosPodcasts
CybersecurityNewsLongNosedGoblin Caught Snooping on Asian Governments
LongNosedGoblin Caught Snooping on Asian Governments
Cybersecurity

LongNosedGoblin Caught Snooping on Asian Governments

•December 19, 2025
0
Dark Reading
Dark Reading•Dec 19, 2025

Companies Mentioned

ESET

ESET

Microsoft

Microsoft

MSFT

Why It Matters

Abusing Group Policy gives attackers domain‑controller access, dramatically raising the risk of credential theft and persistent compromise for affected nations. The discovery signals a growing trend of supply‑chain‑friendly, cloud‑based C2 techniques that defenders must urgently address.

Key Takeaways

  • •LongNosedGoblin exploits Group Policy for lateral movement.
  • •Uses custom C#/.NET malware and OneDrive C2.
  • •NosyHistorian harvests browser history, triggers NosyDoor backdoor.
  • •NosyDownloader, Stealer, Logger added to toolset.
  • •Fewer than 12 victims, targeting Japanese and SE Asian governments.

Pulse Analysis

The emergence of LongNosedGoblin underscores a shift in APT tactics toward native Windows administration tools. By hijacking Group Policy, the group bypasses traditional perimeter defenses and gains privileged access to domain controllers, a vector rarely seen in public disclosures. This technique not only facilitates rapid malware deployment but also enables stealthy persistence, as legitimate policy changes blend with malicious activity. Security teams must therefore augment their monitoring of Group Policy changes, integrating anomaly detection that correlates with credential usage patterns and unusual object modifications.

LongNosedGoblin’s malware suite reflects a sophisticated blend of custom development and cloud‑based command‑and‑control. The C#/.NET payloads, such as NosyHistorian and NosyDoor, exploit Microsoft OneDrive to hide C2 traffic within legitimate traffic, complicating network‑level detection. Additional modules—NosyDownloader, NosyStealer, NosyLogger, and a reverse SOCKS5 proxy—provide a full espionage lifecycle from reconnaissance to data exfiltration. Analysts note similarities to groups like ToddyCat and Erudite Mogwai, yet the distinctive use of Group Policy and cloud C2 marks a clear operational divergence, suggesting a dedicated effort to evade existing threat‑intel signatures.

For governments and enterprises across Asia, the threat translates into an urgent need to harden Active Directory environments. Implementing strict least‑privilege policies, regularly auditing Group Policy Objects, and enforcing multi‑factor authentication for privileged accounts can mitigate the risk of domain‑wide compromise. Moreover, deploying endpoint detection solutions that flag unusual .NET processes and monitoring cloud storage APIs for anomalous access patterns will help uncover the hidden C2 channels. As nation‑state actors continue to weaponize legitimate infrastructure, proactive defense and continuous threat‑intel integration become essential to protect sensitive data and maintain operational resilience.

LongNosedGoblin Caught Snooping on Asian Governments

Read Original Article
0

Comments

Want to join the conversation?

Loading comments...