- A China-aligned Hacking group called LongNosedGoblin has targeted governments in Southeast Asia and Japan since September 2023.
- The group uses Windows Group Policy to deploy Malware and cloud storage services for command and control (C&C) communication.
- The attackers employ various custom tools to steal browser data, log keystrokes, and exfiltrate files using services like Microsoft OneDrive, Google Drive, and Yandex Disk.
- LongNosedGoblin’s malware shows some similarities with other clusters but remains distinct, with potential sharing of tools among China-aligned groups.
A China-aligned cyber threat cluster named LongNosedGoblin has conducted espionage-focused cyber attacks on government entities in Southeast Asia and Japan since at least September 2023. The group uses Windows Group Policy, a system for managing computer and user settings, to spread malware within targeted networks.
Security researchers Anton Cherepanov and Peter Strýček stated that LongNosedGoblin leverages cloud services such as Microsoft OneDrive and Google Drive as command and control (C&C) servers. The attack toolkit mainly includes C#/.NET applications designed for data theft and remote control.
Their malware lineup features:
– NosyHistorian, which collects browsing histories from Google Chrome, Microsoft Edge, and Mozilla Firefox.
– NosyDoor, a backdoor that uses OneDrive for C&C and can exfiltrate or delete files, as well as execute shell commands.
– NosyStealer, which steals browser data from Chrome and Edge, encrypting it into TAR archives uploaded to Google Drive.
– NosyDownloader, used to run additional payloads like NosyLogger in memory.
– NosyLogger, a modified keylogger based on DuckSharp software, capturing keystrokes.
ESET first detected LongNosedGoblin activity in February 2024 on a Southeast Asian government system. The malware spread through Group Policy to multiple computers within the same organization. The exact method by which the attackers initially gained access remains unknown. Analysis revealed targeted deployment, as only some victims infected with NosyHistorian also received the NosyDoor backdoor, which includes “execution guardrails” to limit infections to specific machines.
Additional tools used by the group include a reverse SOCKS5 proxy, software to record audio and video, and a Cobalt Strike loader. Although the group’s tactics show weak similarities to those of ToddyCat and Erudite Mogwai clusters, firm links have not been established. The resemblance of NosyDoor to the LuckyStrike Agent malware and the phrase “Paid Version” found in LuckyStrike’s programming hint that some LongNosedGoblin tools could be commercially available or shared among China-aligned actors.
Researchers also identified a NosyDoor variant targeting an organization in the European Union, which replaced its C&C with Yandex Disk, suggesting LongNosedGoblin malware may be utilized by multiple related threat groups.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
