LongNosedGoblin Tries to Sniff Out Governmental Affairs in Southeast Asia and Japan

LongNosedGoblin adds a fresh entry to the roster of China‑aligned advanced persistent threats that focus on state actors in the Indo‑Pacific. First observed by ESET in early 2024, the group’s campaigns span Southeast Asian ministries and Japanese government agencies, indicating a strategic interest in regional policy and intelligence. By naming the group, researchers highlight a shift toward more sophisticated, infrastructure‑level intrusion techniques that go beyond classic phishing or ransomware payloads.

The core of LongNosedGoblin’s operation is a custom C#/.NET toolchain that exploits Windows Group Policy to push malicious binaries across an Active Directory forest. Tools such as NosyHistorian harvest browser histories to prioritize high‑value targets, while the NosyDoor backdoor leverages cloud storage services like Microsoft OneDrive and Google Drive as stealthy command‑and‑control channels. The malware also incorporates AMSI bypasses and AppDomainManager injection, allowing it to run in‑memory without triggering conventional antivirus signatures, and recent samples have been observed loading Cobalt Strike loaders through the same policy‑based delivery mechanism.

For defenders, the emergence of Group Policy abuse demands a reevaluation of detection baselines. Monitoring policy changes, auditing privileged accounts, and correlating cloud‑service traffic with internal host activity can surface the lateral‑movement patterns used by LongNosedGoblin. Moreover, the apparent sharing of NosyDoor components across multiple China‑aligned groups suggests a possible malware‑as‑a‑service ecosystem, underscoring the need for threat‑intel sharing and rapid incident response to protect critical government infrastructure.