ESET Research has identified a previously undocumented China-aligned advanced persistent threat group that uses Windows Group Policy to deploy malware and move through victim networks. The group, tracked as LongNosedGoblin, has targeted government institutions in Southeast Asia and Japan with a toolset built for long-term surveillance.
Group Policy is widely used with Active Directory to manage settings and permissions across Windows environments. The group leverages that trust to distribute malware at scale once access is established.
Activity traced back to 2023
The researchers first detected LongNosedGoblin while investigating suspicious activity inside the network of a Southeast Asian government organization in 2024. During that investigation, they uncovered malware that had not been documented before.
Further analysis linked the activity to operations going back to at least September 2023. Observations from this September show renewed activity in the same region, suggesting continued interest in government networks.
Operations focused on internal spread after initial access. Malware was deployed across compromised networks using Group Policy objects, allowing the group to reach multiple systems without relying on repeated exploitation.
Group Policy used for lateral movement
Group Policy plays a central role in the campaign. The attackers abused it to push malicious components to other machines connected to the domain. This approach allowed them to blend into administrative traffic and avoid noisy lateral movement techniques.
Once deployed, the malware communicated with command and control infrastructure hosted on cloud services. The researchers observed the use of Microsoft OneDrive and Google Drive for command delivery and data exchange, which can complicate detection and blocking efforts.
This infrastructure choice aligns with a broader trend among espionage groups that rely on trusted platforms to hide malicious traffic in normal enterprise activity.
Browser data guides follow-on attacks
One of the first tools deployed inside victim networks is NosyHistorian. This C# and .NET application collects browsing history from Google Chrome, Microsoft Edge, and Mozilla Firefox. The stolen data helps the operators understand user behavior and decide where to deploy additional malware.
Another component, NosyDoor, focuses on system reconnaissance and task execution. It gathers metadata such as machine name, username, operating system version, and current process details. That information is sent back to the command and control service.
NosyDoor also retrieves task files containing instructions. Supported commands include file exfiltration, file deletion, and execution of shell commands, giving the attackers ongoing control over infected systems.
NosyDoor execution chain
Tools built for data theft and surveillance
LongNosedGoblin relies on several specialized tools to collect sensitive data. NosyStealer targets browser data stored in Microsoft Edge and Google Chrome, expanding on the intelligence gathered earlier in the attack chain.
NosyDownloader handles payload delivery. It executes a series of obfuscated commands and loads additional malware directly into memory, which reduces artifacts on disk and makes forensic analysis more difficult.
The toolset also includes NosyLogger, a C# and .NET keylogger. The researchers assess it as a modified version of the open-source DuckSharp project. Keylogging supports credential theft and monitoring of user activity over time.
Audio, video, and network access
Beyond traditional espionage tooling, the group deploys utilities that support deeper surveillance. The researchers identified a reverse SOCKS5 proxy that provides remote network access through infected hosts.
They also observed an argument runner used to launch other applications. In at least one case, this runner executed a video recording tool, likely FFmpeg, to capture audio and video from compromised systems.
This combination of administrative abuse, cloud-based command channels, and multi-layered surveillance tools shows a campaign designed for persistence inside sensitive government environments. The researchers continue to monitor the group’s activity across the region.
“We later identified another instance of a NosyDoor variant targeting an organization in an EU country, once again employing different techniques, and using the Yandex Disk cloud service as a C&C server. The use of this NosyDoor variant suggests that the malware may be shared among multiple China-aligned threat groups,” says ESET researcher Anton Cherepanov, who investigated LongNosedGoblin with fellow ESET researcher Peter Strýček.