Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actor

NosyDownloader

NosyDownloader is a malware downloader used by the China-aligned APT group LongNosedGoblin in cyber-espionage operations targeting government entities in Southeast Asia and Japan since at least 2023. It is part of the group’s custom C#/.NET toolset and is used for payload delivery, retrieving and executing additional malware directly in memory to reduce disk artifacts and complicate forensic analysis. ESET reported that LongNosedGoblin used NosyDownloader widely in Southeast Asia throughout 2024, with an updated version observed against the Japanese government by December 2024. The malware was also found embedded in originally benign applications that had been patched with malicious code. Its execution chain involves spawning PowerShell and passing a long, obfuscated command line so the script is not stored on disk. NosyDownloader has been used to deploy payloads including NosyLogger, the open-source reverse SOCKS5 proxy ReverseSocks5, and an argument runner. High-confidence associated context links it to LongNosedGoblin’s broader espionage activity against government networks and to in-memory payload execution as a core capability. No specific IoCs beyond these behavioral characteristics are provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
LongNosedGoblin

"NosyDownloader, which downloads and runs a payload in memory... LongNosedGoblin has been widely using NosyDownloader in Southeast Asia throughout 2024."

via dark readingdarkreading.com
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
dark readingNews
Dec 19, 2025
LongNosedGoblin Caught Snooping on Asian Governments

In-memory downloader/loader used to fetch and execute additional payloads without writing them to disk; widely used in Southeast Asia in 2024 and updated by Dec 2024 for targeting Japan.

Read more
help net securityNews
Dec 18, 2025
Group Policy abuse reveals China-aligned espionage group targeting governments

NosyDownloader is a loader/downloader that delivers additional payloads, executing them in memory to evade detection and forensic analysis.

Read more
the hacker newsNews
Dec 18, 2025
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

Loader malware that downloads and executes additional payloads in memory, such as NosyLogger.

Read more
the record mediaNews
Dec 18, 2025
New China-linked hacker group spies on governments in Southeast Asia, Japan

Downloader malware that retrieves and executes additional malicious payloads in memory.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.