- \n
- LongNosedGoblin is a newly discovered China-aligned APT group targeting governmental entities in Southeast Asia and Japan, with the goal of cyberespionage.<\/li>\n
- The group has been active since at least September 2023.<\/li>\n
- LongNosedGoblin uses Group Policy to deploy malware across the compromised network, and cloud services (e.g., Microsoft OneDrive and Google Drive) as command and control (C&C) servers.<\/li>\n
- One of the group\u2019s tools, NosyHistorian, is used to gather browser history and decide where to deploy further malware, such as the NosyDoor backdoor.<\/li>\n
- NosyDoor is most likely being shared by multiple China-aligned threat actors.<\/li>\n
- We provide a detailed analysis of NosyHistorian, NosyDoor, NosyStealer, NosyDownloader, NosyLogger, and other tools used by LongNosedGoblin.<\/li>\n<\/ul>\n<\/blockquote>\n
Smells like trouble: Introducing LongNosedGoblin<\/h2>\n
LongNosedGoblin is a China-aligned APT group that targets governmental entities in Southeast Asia and Japan, with the goal of conducting cyberespionage. As we already mentioned: in its campaigns, LongNosedGoblin abuses Group Policy<\/a> \u2013 a mechanism for managing settings and permissions on Windows machines, typically used with Active Directory \u2013 to deploy malware and move laterally across the compromised network.<\/p>\n
One of the main tools in its arsenal is NosyHistorian, a C#\/.NET application that the group uses to collect browser history, which is then used to determine where to deploy further malware. This includes another major LongNosedGoblin tool, a backdoor that we named NosyDoor, which, in campaigns we observed, used Microsoft OneDrive as its C&C server. NosyDoor also employs living-off-the-land techniques in its execution chain, namely AppDomainManager injection<\/a>. Finally, several of the group\u2019s tools can bypass the Antimalware Scan Interface<\/a> (AMSI), which enables antimalware products to scan various scripts before execution.<\/p>\n
Discovery<\/h3>\n
In February 2024, we found unknown malware on a system of a governmental entity in Southeast Asia. The malware was used to drop a custom backdoor, which we later named NosyDoor. At the same time, we noticed that the compromise involved not just one, but multiple machines from the same entity, with the malware having been deployed via Group Policy.<\/p>\n
Additional analysis revealed that the same victims were also afflicted with a different malicious tool distributed via Group Policy, this one used for collecting browser history. We named the tool NosyHistorian. While we found many victims affected by NosyHistorian in the course of our original investigation between January and March 2024, only a small subset of them were compromised by NosyDoor. Some samples of NosyDoor\u2019s dropper even contained execution guardrails to limit operation to specific victims\u2019 machines.<\/p>\n
Later, we identified even more unknown malware on the victims\u2019 machines: NosyStealer, which exfiltrates browser data; NosyDownloader, which downloads and runs a payload in memory; NosyLogger, a keylogger; other tools like a reverse SOCKS5 proxy; and an argument runner (a tool that runs an application passed as an argument) that was used to run a video recorder, likely FFmpeg<\/a>, to capture audio and video. The downloader was first recorded in our telemetry as far back as September 2023.<\/p>\n
Attribution<\/h3>\n
Due to the unique toolset, alongside the use of Group Policy for lateral movement, we decided to attribute the attacks to a new China-aligned APT group, and named it LongNosedGoblin. We noticed some overlap in the file paths mentioned in a Kaspersky blogpost about ToddyCat activity<\/a>, an APT group with similar targeting<\/a>, but the malware in that report lacks code similarity with the malware considered here.<\/p>\n
It should also be noted that in June 2025, the Russian cybersecurity company Solar published a blogpost<\/a> on an APT group it refers to as Erudite Mogwai, which used a payload that closely resembles LongNosedGoblin\u2019s NosyDoor. According to the authors, Erudite Mogwai targeted the IT infrastructure of a Russian government organization and Russian IT companies, using the LuckyStrike Agent backdoor in its operations.<\/p>\n
However, we cannot confirm that Erudite Mogwai and LongNosedGoblin are one and the same, as there is a definite difference in TTPs between the two groups. Notably, the Erudite Mogwai research does not mention the abuse of Active Directory Group Policy for malware deployment \u2013 a technique that is quite specific to LongNosedGoblin\u2019s operations.<\/p>\n
We later identified another instance of a NosyDoor variant targeting an organization in an EU country, once again employing different TTPs, and using the Yandex Disk cloud service as a C&C server. The use of this NosyDoor variant suggests that the malware may be shared among multiple China-aligned threat groups. This is further corroborated by Solar\u2019s observation of the word Paid<\/span> in the PDB path of NosyDoor, suggesting that the malware may be commercially provided as a service \u2013 potentially indicating it is being sold or licensed to other threat actors.<\/p>\n
Later campaigns<\/h3>\n
Throughout 2024, LongNosedGoblin was actively deploying NosyDownloader in Southeast Asia. In December of the same year, we detected an updated version of NosyHistorian in Japan, but then observed no subsequent activity.<\/p>\n
In September 2025, we began seeing renewed activity of the group in Southeast Asia. As in previous campaigns, the threat actor leveraged Group Policy to deliver NosyHistorian to targeted machines.<\/p>\n
During this wave of attacks, we noticed behavior consistent with Cobalt Strike<\/a> usage: a loader named oci.dll<\/span> was downloaded on a single machine, with a payload named ocapi.edb<\/span> loaded from disk. LongNosedGoblin then subsequently deployed the potential Cobalt Strike loader to selected machines via Group Policy.<\/p>\n
Additionally, we saw that another similar component, mscorsvc.dll<\/span>, was downloaded, with its payload stored in conf.ini<\/span>. This loader was then deployed to victims\u2019 machines using Group Policy, employing the same delivery mechanism as oci.dll<\/span>.<\/p>\n
Nosing around: LongNosedGoblin\u2019s toolset<\/h2>\n
NosyHistorian<\/h3>\n
NosyHistorian is a C#\/.NET application with a self-explanatory internal name GetBrowserHistory<\/span>, as it, indeed, collects browser history. In the observed campaigns, the attackers used this tool to gain insight about the machines in the compromised infrastructure. Based on this information, they picked a small subset of specific victims to compromise further with their NosyDoor backdoor.<\/p>\n
We saw the tool being deployed via Group Policy under the filename History.ini<\/span>, disguising the file as an INI file. In reality, this is a portable executable (PE) file, with the goal most likely being to blend in with other INI files commonly<\/a> stored in the Group Policy cache directory.<\/p>\n
NosyHistorian iterates over all users on the machine and retrieves the browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox. Each history database file is copied to a temporary directory and then uploaded to a specific hardcoded SMB share within the local network of the compromised organization. NosyHistorian\u2019s filename for each web browser\u2019s history file is listed in Table 1, where <profile_name><\/span> corresponds to web browser profiles.<\/p>\n
Table 1. Crafted history filenames by NosyHistorian<\/em><\/p>\n<\/p>\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/12-25\/longnosedgoblin\/figure-1-1.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/12-25\/longnosedgoblin\/figure-2.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/12-25\/longnosedgoblin\/figure-3.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/12-25\/longnosedgoblin\/figure-5-1.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/12-25\/longnosedgoblin\/figure-6.png\" "\\"Figure")