NosyHistorian
NosyHistorian is a custom C#/.NET malware tool used by the China-aligned APT group LongNosedGoblin in cyber-espionage operations targeting government entities in Southeast Asia and Japan since at least 2023. It is one of the first tools deployed inside victim networks and is used to collect browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox. The malware is described as having the internal name GetBrowserHistory. LongNosedGoblin has abused Windows Active Directory Group Policy to deploy malware, including NosyHistorian, across compromised networks and for lateral movement, implying access to Domain Controllers and domain administrator credentials. The stolen browsing-history data is used to understand user behavior, assess victim value, and decide which systems or users should receive follow-on malware. Only a small subset of NosyHistorian-affected victims were subsequently compromised with the NosyDoor backdoor. The content associates NosyHistorian specifically with LongNosedGoblin’s espionage activity against government networks. No standalone indicators of compromise for NosyHistorian are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"NosyGoblin's bespoke tooling also includes malware the ESET team named NosyHistorian used to snoop through browser history. If NosyHistorian determines the target is worth pursuing further, it drops a backdoor called NosyDoor"
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Privilege Escalation
1 techniqueDefense Impairment
1 techniqueDiscovery
1 technique“NosyHistorian, is used to gather browser history and decide where to deploy further malware…”
Command and Control
1 technique“LongNosedGoblin… uses… Microsoft OneDrive and Google Drive as command and control (C&C) servers.”
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Reconnaissance/collection tool used to gather browser history to inform follow-on malware deployment decisions within LongNosedGoblin operations.
NosyHistorian is a custom stealer malware used by LongNosedGoblin to harvest browser history from compromised machines. Its purpose is to identify high-value targets for further exploitation within government networks.
Custom malware used to collect/snoop browser history for victim profiling and follow-on targeting decisions; can lead to deployment of the NosyDoor backdoor.
NosyHistorian is a C# and .NET application that collects browsing history from major browsers to inform follow-on attack decisions.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.