LongNosedGoblin
LongNosedGoblin is a previously undocumented China-aligned advanced persistent threat group focused on cyberespionage against government institutions in Southeast Asia and Japan. The group has been active since at least September 2023. ESET reported fewer than a dozen confirmed victims and assessed the actor as moderately sophisticated. The group is notable for abusing Windows Active Directory Group Policy to deploy malware and move laterally within compromised networks, which implies access to a Domain Controller and domain administrator credentials. Its toolset is primarily custom C#/.NET malware built for long-term surveillance and data theft. Reported malware and tooling include NosyHistorian, NosyDoor, NosyStealer, NosyDownloader, and NosyLogger, as well as a reverse SOCKS5 proxy, an argument runner used to launch applications including audio/video recording tools, and in some reporting a Cobalt Strike loader. NosyHistorian is used to inspect and collect browser history from Chrome, Edge, and Firefox to identify higher-value targets. Only a subset of victims then receive NosyDoor, a backdoor that gathers host metadata and supports file upload/download/delete, directory listing, shell command execution, and loading .NET assemblies. NosyDoor uses cloud services for command and control, especially Microsoft OneDrive; reporting also mentions Google Drive, and a variant using Yandex Disk was observed against an EU organization. NosyDoor employs AppDomainManager injection, and some LongNosedGoblin tools bypass AMSI. Some samples include execution guardrails restricting operation to specific victim machines. Additional tooling includes NosyStealer for browser data exfiltration, NosyDownloader for in-memory payload delivery, and NosyLogger, a modified DuckSharp-based keylogger. LongNosedGoblin has also used legitimate cloud services such as OneDrive and Google Drive for C2 and exfiltration, helping blend malicious traffic with normal enterprise activity. ESET noted similarities with ToddyCat and Erudite Mogwai but concluded LongNosedGoblin is distinct, particularly because of its specific use of Group Policy for malware deployment. ESET also assessed that NosyDoor is likely shared among multiple China-aligned threat actors. Cisco Talos separately assessed with high confidence that another China-nexus cluster, UAT-8302, shares tooling with LongNosedGoblin. Known aliases directly mentioned in the content are limited to LongNosedGoblin.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
7 malware families attributed to this actor across reporting.
2 additional families tracked in Mallory.
Recent activity
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Previously disclosed China-nexus threat cluster that shares tooling and techniques with UAT-8302, indicating a close operational relationship.
Threat group associated by ESET with use of NosyDoor.
China-aligned espionage cluster targeting government entities in Southeast Asia and Japan; noted for using Windows Group Policy for malware deployment.
LongNosedGoblin is a China-aligned APT conducting cyber-espionage campaigns targeting government networks in Southeast Asia and Japan, leveraging Group Policy abuse for lateral movement and cloud services for command and control.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.