The cyber espionage group "LongNosedGoblin" has been linked by ESET to a significant and growing number of targeted attacks on government entities located predominantly within Southeast Asia and Japan. LongNosedGoblin has likely been active since at least September 2023 based on ESET's intelligence; the primary reason for this group's activity is cyber espionage.
LongNosedGoblin employs Windows Group Policy functionality to deploy malware across the network of companies it compromises. Unlike previous groups that used visible lateral movements, LongNosedGoblin utilizes this existing administrative means to deliver malware to multiple systems at the same time.
The command-and-control communication of LongNosedGoblin blends with "normal" internet traffic by leveraging established cloud services such as Microsoft OneDrive, Google Drive, and Yandex Disk.
The tools created by LongNosedGoblin appear to have been created specifically for them and are mostly based on the C#/.NET programming language, suggesting that the tools were in active development and thus have been around for some time. Therefore, it is likely the tools have been reused many times over the years.
LongNosedGoblin has several tools that have been seen and are referred to by the following names:
1. NosyHistorian - Collects browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox without being visible to the user and sends it back to the LongNosedGoblin's command and control servers.
2. NosyDoor - A backdoor that allows LongNosedGoblin to communicate with compromised computers using OneDrive. Also contains functionality for stealing files, deleting files, and executing commands.
3. NosyStealer - Collects browser information and sends that information to Google Drive as an encrypted ZIP file.
4. NosyDownloader - Downloads and executes malware in system RAM.
5. NosyLogger - A modified version of a keylogger built with DuckSharp.
The initial detection of LongNosedGoblin activity occurred in February 2024, during investigations of a Southeast Asian government agency, by ESET. An analysis of these detections found that Group Policy was utilized to distribute malware across the various systems of one organization. How the attackers were able to gain access to the organization in the first place, is presently unknown.
Surprisingly, not all victims were handled in the same way. While most systems received infections from NosyHistorian earlier in 2024, a small but carefully targeted set of systems received the much more sophisticated NosyDoor backdoor. Some of the samples were programmed with specific targets to execute only on their intended machines. These programmed targets indicate an intentional malicious campaign instead of an opportunistic mass distribution method.
In addition to the Nosy toolset, the group is known to deploy additional capabilities, including a reverse SOCKS5 proxy, audio and video recording utilities, and a loader for the Cobalt Strike framework.
ESET has observed a small number of similarities between LongNosedGoblin and other groups in China that operate in similar fashion (e.g., ToddyCat and Erudite Mogwai); however, ESET does not claim to have directly attributed any of the activity to any of these other groups. Despite this lack of attribution, there are some indicators that suggest certain tools utilized by the LongNosedGoblin are either the same tools that are used by or are closely connected to groups using the LuckyStrike Agent. This overlap includes references to "Paid Version" appearing in their debugging paths. Thus, there is reason to suspect that these tools may be shared, sold, or reused between multiple groups.
ESET later discovered a new version of NosyDoor that was targeted at a European Union organization using Yandex Disk as its command-and-control server. This supports the notion that LongNosedGoblin’s malware has been utilized in a wider context than just one operation, and may be part of an entire ecosystem of espionage tools used by China.
Source: The Hacker News
December 19, 2025
December 19, 2025
December 19, 2025
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
