Attempts to sniff out governmental affairs in Southeast Asia and Japan
A newly discovered China-aligned APT group named LongNosedGoblin has been targeting governmental entities in Southeast Asia and Japan for cyberespionage purposes. The group employs a varied custom toolset consisting mainly of C#/.NET applications and notably uses Group Policy to deploy malware and move laterally across compromised networks. Their main tools include NosyHistorian for collecting browser history, NosyDoor backdoor using cloud services as C&C, and NosyStealer for exfiltrating browser data. The group has been active since at least September 2023 and uses techniques like AMSI bypassing and living-off-the-land tactics. LongNosedGoblin's campaigns involve multiple stages of execution and various malware components, showcasing a sophisticated approach to cyber espionage operations.
AI Analysis
Technical Summary
LongNosedGoblin is a recently identified APT group aligned with China, active since at least September 2023, focusing on cyberespionage against governmental organizations in Southeast Asia and Japan. The group employs a sophisticated custom malware toolset primarily developed in C#/.NET, comprising NosyHistorian for harvesting browser histories, NosyDoor as a stealthy backdoor utilizing cloud services for command and control, and NosyStealer for exfiltrating sensitive browser data. Their operational tactics include abusing Windows Group Policy Objects (GPOs) to deploy malware and facilitate lateral movement across compromised networks, enabling broad internal access once initial footholds are established. They use advanced evasion techniques such as AMSI bypassing to evade antimalware detection and living-off-the-land methods that exploit legitimate Windows tools to minimize their footprint and avoid raising suspicion. The attack campaigns are multi-staged, indicating a well-planned and persistent approach to infiltrate, maintain access, and exfiltrate data from targeted networks. Indicators of compromise include specific malware hashes, IP addresses, and domains linked to their infrastructure, including cloud service domains used for command and control. While no public exploits are currently known, the group’s use of Group Policy for malware deployment and lateral movement presents a significant risk to organizations using Windows Active Directory environments. The threat actor’s focus on browser data collection and exfiltration suggests a goal of gathering intelligence on governmental affairs and sensitive communications. The medium severity rating reflects the complexity and targeted nature of the threat, requiring initial access but no publicly known exploits, and the potential for significant espionage impact.
Potential Impact
For European organizations, especially governmental bodies and critical infrastructure entities, LongNosedGoblin represents a medium-level espionage threat. Although the group’s primary targets are in Southeast Asia and Japan, European entities with similar IT infrastructures—particularly those using Windows Active Directory and Group Policy—could be vulnerable to spillover or secondary targeting, especially if they have geopolitical ties or share intelligence with affected regions. The abuse of Group Policy for malware deployment can lead to rapid and widespread compromise within an organization’s network, enabling attackers to move laterally and harvest sensitive data such as browser histories, credentials, and other confidential information. The use of cloud services for command and control complicates detection and response, as traffic may blend with legitimate cloud communications. Successful intrusions could undermine the confidentiality and integrity of sensitive governmental communications, potentially impacting national security, diplomatic relations, and trust in digital infrastructure. The stealthy and persistent nature of the threat increases the difficulty of timely detection and eradication, raising the risk of prolonged espionage campaigns.
Mitigation Recommendations
1. Implement continuous monitoring and auditing of Group Policy Objects (GPOs) to detect unauthorized or suspicious changes indicative of malware deployment. 2. Enforce strict network segmentation and apply least privilege access controls to limit lateral movement opportunities within internal networks. 3. Deploy advanced Endpoint Detection and Response (EDR) solutions capable of detecting AMSI bypass techniques and living-off-the-land tactics, focusing on anomalous usage of legitimate Windows tools and processes. 4. Monitor outbound network traffic for unusual connections to known malicious IP addresses and domains associated with LongNosedGoblin, including cloud service domains used for command and control. 5. Enforce multi-factor authentication (MFA) and maintain strong credential hygiene to reduce the risk of initial compromise. 6. Conduct regular threat hunting exercises focused on indicators of browser data exfiltration and stealthy backdoor persistence mechanisms. 7. Keep all operating systems, security tools, and endpoint software up to date to leverage the latest detection and mitigation capabilities against custom malware. 8. Provide targeted training for security teams to recognize signs of sophisticated APT activity, including multi-stage execution and stealthy persistence methods. 9. Establish information sharing and collaboration with national cybersecurity centers and international partners to exchange threat intelligence related to LongNosedGoblin indicators and tactics. 10. Consider deploying network detection tools that can analyze Group Policy changes and unusual cloud service interactions in real time.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland
Indicators of Compromise
- hash: d53fcc01038e20193fbd51b7400075cf7c9c4402b73da7b0db836b000ebd8b1c
- ip: 101.99.88.113
- ip: 101.99.88.188
- ip: 118.107.234.26
- ip: 118.107.234.29
- ip: 38.54.17.131
- domain: newso.com
- domain: policy-my.com
- domain: dev0-411506.iam.gserviceaccount.com
- domain: 40dev0-411506.iam.gserviceaccount.com
Attempts to sniff out governmental affairs in Southeast Asia and Japan
Description
A newly discovered China-aligned APT group named LongNosedGoblin has been targeting governmental entities in Southeast Asia and Japan for cyberespionage purposes. The group employs a varied custom toolset consisting mainly of C#/.NET applications and notably uses Group Policy to deploy malware and move laterally across compromised networks. Their main tools include NosyHistorian for collecting browser history, NosyDoor backdoor using cloud services as C&C, and NosyStealer for exfiltrating browser data. The group has been active since at least September 2023 and uses techniques like AMSI bypassing and living-off-the-land tactics. LongNosedGoblin's campaigns involve multiple stages of execution and various malware components, showcasing a sophisticated approach to cyber espionage operations.
AI-Powered Analysis
Technical Analysis
LongNosedGoblin is a recently identified APT group aligned with China, active since at least September 2023, focusing on cyberespionage against governmental organizations in Southeast Asia and Japan. The group employs a sophisticated custom malware toolset primarily developed in C#/.NET, comprising NosyHistorian for harvesting browser histories, NosyDoor as a stealthy backdoor utilizing cloud services for command and control, and NosyStealer for exfiltrating sensitive browser data. Their operational tactics include abusing Windows Group Policy Objects (GPOs) to deploy malware and facilitate lateral movement across compromised networks, enabling broad internal access once initial footholds are established. They use advanced evasion techniques such as AMSI bypassing to evade antimalware detection and living-off-the-land methods that exploit legitimate Windows tools to minimize their footprint and avoid raising suspicion. The attack campaigns are multi-staged, indicating a well-planned and persistent approach to infiltrate, maintain access, and exfiltrate data from targeted networks. Indicators of compromise include specific malware hashes, IP addresses, and domains linked to their infrastructure, including cloud service domains used for command and control. While no public exploits are currently known, the group’s use of Group Policy for malware deployment and lateral movement presents a significant risk to organizations using Windows Active Directory environments. The threat actor’s focus on browser data collection and exfiltration suggests a goal of gathering intelligence on governmental affairs and sensitive communications. The medium severity rating reflects the complexity and targeted nature of the threat, requiring initial access but no publicly known exploits, and the potential for significant espionage impact.
Potential Impact
For European organizations, especially governmental bodies and critical infrastructure entities, LongNosedGoblin represents a medium-level espionage threat. Although the group’s primary targets are in Southeast Asia and Japan, European entities with similar IT infrastructures—particularly those using Windows Active Directory and Group Policy—could be vulnerable to spillover or secondary targeting, especially if they have geopolitical ties or share intelligence with affected regions. The abuse of Group Policy for malware deployment can lead to rapid and widespread compromise within an organization’s network, enabling attackers to move laterally and harvest sensitive data such as browser histories, credentials, and other confidential information. The use of cloud services for command and control complicates detection and response, as traffic may blend with legitimate cloud communications. Successful intrusions could undermine the confidentiality and integrity of sensitive governmental communications, potentially impacting national security, diplomatic relations, and trust in digital infrastructure. The stealthy and persistent nature of the threat increases the difficulty of timely detection and eradication, raising the risk of prolonged espionage campaigns.
Mitigation Recommendations
1. Implement continuous monitoring and auditing of Group Policy Objects (GPOs) to detect unauthorized or suspicious changes indicative of malware deployment. 2. Enforce strict network segmentation and apply least privilege access controls to limit lateral movement opportunities within internal networks. 3. Deploy advanced Endpoint Detection and Response (EDR) solutions capable of detecting AMSI bypass techniques and living-off-the-land tactics, focusing on anomalous usage of legitimate Windows tools and processes. 4. Monitor outbound network traffic for unusual connections to known malicious IP addresses and domains associated with LongNosedGoblin, including cloud service domains used for command and control. 5. Enforce multi-factor authentication (MFA) and maintain strong credential hygiene to reduce the risk of initial compromise. 6. Conduct regular threat hunting exercises focused on indicators of browser data exfiltration and stealthy backdoor persistence mechanisms. 7. Keep all operating systems, security tools, and endpoint software up to date to leverage the latest detection and mitigation capabilities against custom malware. 8. Provide targeted training for security teams to recognize signs of sophisticated APT activity, including multi-stage execution and stealthy persistence methods. 9. Establish information sharing and collaboration with national cybersecurity centers and international partners to exchange threat intelligence related to LongNosedGoblin indicators and tactics. 10. Consider deploying network detection tools that can analyze Group Policy changes and unusual cloud service interactions in real time.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan"]
- Adversary
- LongNosedGoblin
- Pulse Id
- 69457bc9ca97fde0a0f01d2c
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashd53fcc01038e20193fbd51b7400075cf7c9c4402b73da7b0db836b000ebd8b1c | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip101.99.88.113 | — | |
ip101.99.88.188 | — | |
ip118.107.234.26 | — | |
ip118.107.234.29 | — | |
ip38.54.17.131 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainnewso.com | — | |
domainpolicy-my.com | — | |
domaindev0-411506.iam.gserviceaccount.com | — | |
domain40dev0-411506.iam.gserviceaccount.com | — |
Threat ID: 69459d520919c12884942c59
Added to database: 12/19/2025, 6:45:38 PM
Last enriched: 1/5/2026, 11:10:30 AM
Last updated: 2/4/2026, 9:23:16 AM
Views: 233
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2026-02-03
MediumNotepad++ supply chain attack breakdown
MediumInfostealers without borders: macOS, Python stealers, and platform abuse
MediumThe Chrysalis Backdoor: A Deep Dive into Lotus Blossom's toolkit
MediumThreatFox IOCs for 2026-02-02
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.