LongNosedGoblin is a newly identified advanced persistent threat (APT) group with a China-aligned cyberespionage agenda targeting governmental organizations primarily in Southeast Asia and Japan. The group employs a custom toolset predominantly developed in C#/.NET, which includes several specialized malware components: NosyHistorian for harvesting browser history, NosyDoor as a stealthy backdoor leveraging cloud services for command and control (C2), and NosyStealer designed to exfiltrate sensitive browser data. Their operational tactics involve the abuse of Windows Group Policy to deploy malware across networks and facilitate lateral movement, enabling broad internal access once a foothold is established. The group also uses advanced evasion techniques such as AMSI (Antimalware Scan Interface) bypassing to avoid detection by security products and living-off-the-land methods that utilize legitimate system tools to minimize their footprint. The campaign is multi-staged, indicating a well-planned and persistent approach to infiltrate and maintain access within targeted networks. Indicators of compromise include specific malware hashes, IP addresses, and domains associated with their infrastructure. Although no public exploits are currently known, the sophistication and targeted nature of LongNosedGoblin’s operations pose a significant espionage threat to governmental entities and potentially other organizations with sensitive information.

For European organizations, particularly governmental and critical infrastructure entities, the LongNosedGoblin threat represents a medium-level espionage risk. While the group’s primary focus is Southeast Asia and Japan, European entities with geopolitical ties or similar IT environments using Windows Active Directory and Group Policy could be targeted or affected by spillover attacks. The use of Group Policy for malware deployment can lead to widespread compromise within an organization’s network, enabling attackers to harvest sensitive data such as browser histories and credentials, potentially leading to further espionage or data leaks. The stealthy use of cloud services for C2 complicates detection and response efforts. If successful, such intrusions could undermine confidentiality and integrity of sensitive governmental communications and data, potentially impacting national security and diplomatic relations. The medium severity reflects the complexity and targeted nature of the threat, with moderate ease of exploitation requiring initial access but no known public exploits. European organizations must remain vigilant to prevent lateral movement and data exfiltration.

1. Monitor and audit Group Policy Objects (GPOs) rigorously for unauthorized changes or suspicious deployment activities, as LongNosedGoblin leverages GPO for malware distribution. 2. Implement strict network segmentation and least privilege principles to limit lateral movement opportunities within internal networks. 3. Deploy endpoint detection and response (EDR) solutions capable of detecting AMSI bypass techniques and living-off-the-land tactics, focusing on anomalous use of legitimate Windows tools. 4. Monitor outbound traffic for unusual connections to cloud service domains and IPs associated with the threat actor’s infrastructure, including the identified domains and IP addresses. 5. Enforce multi-factor authentication (MFA) and strong credential hygiene to reduce risk of initial access. 6. Conduct regular threat hunting exercises focusing on browser data exfiltration indicators and backdoor persistence mechanisms. 7. Keep all systems and security tools updated to leverage latest detection capabilities against custom malware. 8. Train security teams on recognizing signs of sophisticated APT activity, including multi-stage execution and stealthy persistence methods. 9. Collaborate with national cybersecurity centers and share threat intelligence related to LongNosedGoblin indicators to enhance collective defense.