A previously undocumented Chinese-aligned threat cluster called “LongNosed Goblin” is believed to have resulted from a series of cyberattacks targeting government agencies in Southeast Asia and Japan.
Slovak cybersecurity company ESET said in a report released today that the ultimate goal of these attacks is cyber espionage. The threat activity cluster is assessed to have been active since at least September 2023.
“LongNosed Goblin leverages Group Policy to deploy malware across compromised networks, deploying cloud services (such as Microsoft OneDrive and Google Drive) as command and control (C&C) servers,” security researchers Anton Cherepanov and Peter Strýček said in a statement.
Group Policy is a mechanism for managing settings and permissions on Windows machines. According to Microsoft, Group Policy can be used to define the configuration of groups of users and client computers and to manage server computers.
This attack is characterized by the use of a variety of custom toolsets, primarily comprised of C#/.NET applications.
- NosyHistorian collects browser history from Google Chrome, Microsoft Edge, Mozilla Firefox
- NosyDoor is a backdoor that uses Microsoft OneDrive as a C&C and executes commands that allow file extraction, file deletion, and shell command execution.
- NosyStealer extracts browser data from Google Chrome and Microsoft Edge to Google Drive in the form of encrypted TAR archives
- Downloads and executes payloads such as NosyDownloader, NosyLogger, etc. into memory.
- NosyLogger, a modified version of DuckSharp used to log keystrokes
 |
| NosyDoor execution chain |
ESET said it first detected activity related to the hacking group on the systems of a government agency in Southeast Asia in February 2024, and ultimately discovered that Group Policy was being used to distribute malware to multiple systems in the same organization. The exact initial access method used in the attack is currently unknown.
Further analysis reveals that while many victims were affected by NosyHistorian between January and March 2024, only a portion of these victims were infected by NosyDoor, indicating a more targeted approach. In some cases, droppers used to deploy backdoors using AppDomainManager injection have been found to contain “execution guardrails” designed to restrict operations on specific victim machines.
LongNosed Goblin also employs other tools such as a reverse SOCKS5 proxy, a utility used to run a video recorder that captures audio and video, and the Cobalt Strike loader.
The cybersecurity firm noted that the attacker’s modus operandi shares slight overlap with clusters tracked as ToddyCat and Erudite Mogwai, but stressed the lack of conclusive evidence linking them. However, the similarities between NosyDoor and LuckyStrike Agent, and the presence of the phrase “Paid Version” in LuckyStrike Agent’s PDB path, raise the possibility that this malware could be sold or licensed to other threat actors.
“We subsequently identified another instance of the NosyDoor variant targeting organizations in EU member states, again using a different TTP and using the Yandex Disk cloud service as a C&C server,” the researchers said. “The use of this NosyDoor variant suggests that this malware may be being shared among multiple Chinese-aligned threat groups.”
