LongNosedGoblin is a newly identified APT group linked to China, focusing on cyberespionage against governmental organizations in Southeast Asia and Japan. The group’s malware arsenal is composed of custom-developed C#/.NET applications designed to stealthily collect sensitive browser data and facilitate persistent access. Key tools include NosyHistorian, which harvests browser history; NosyStealer, which exfiltrates browser data; and NosyDoor, a backdoor that uses cloud infrastructure as its command and control (C2) channel, enhancing stealth and resilience. The attackers exploit Windows Group Policy mechanisms to propagate laterally across compromised networks, enabling them to move from initial footholds to high-value targets. They also employ advanced techniques such as AppDomainManager injection to manipulate .NET application domains and bypass the Antimalware Scan Interface (AMSI), allowing their malware to evade endpoint security solutions. The group has been active since at least September 2023, with campaigns continuing through 2024 and 2025, indicating sustained interest in intelligence gathering from targeted governments. The research suggests that the NosyDoor backdoor may be shared among multiple China-aligned threat actors, implying a broader ecosystem of related espionage operations. Indicators of compromise include specific malware hashes, IP addresses, and domains associated with their infrastructure. While no CVE or known exploits are linked to this threat, its sophisticated toolset and targeted approach make it a significant espionage threat.

For European organizations, the direct impact of LongNosedGoblin is currently limited due to its targeting focus on Southeast Asian and Japanese governmental entities. However, European governmental and diplomatic entities with interests or partnerships in these regions could be indirectly affected through intelligence leaks or supply chain compromises. The use of cloud services for C2 and abuse of Group Policy for lateral movement highlight risks to organizations with complex Windows domain environments and cloud integrations. If the group expands targeting or shares tools with other actors, European entities could face espionage risks involving sensitive political, economic, or strategic information. The compromise of browser data can lead to credential theft, session hijacking, and exposure of confidential communications, undermining confidentiality and trust. The advanced evasion techniques complicate detection and response, potentially allowing prolonged undetected access and data exfiltration. Overall, the threat underscores the need for vigilance in protecting governmental and critical infrastructure networks from sophisticated APT operations.

European organizations, especially governmental and diplomatic entities, should implement targeted defenses against LongNosedGoblin’s tactics. Specifically, restrict and monitor the use of Group Policy Objects (GPOs) to prevent unauthorized modifications that could facilitate lateral movement. Employ advanced endpoint detection and response (EDR) solutions capable of detecting AppDomainManager injection and AMSI bypass techniques. Monitor network traffic for unusual connections to cloud service domains and IP addresses linked to the threat actor’s infrastructure. Enforce strict browser security policies and limit the storage of sensitive data in browsers to reduce the impact of browser data theft. Conduct regular threat hunting exercises focusing on indicators of compromise such as the provided hashes, IPs, and domains. Implement multi-factor authentication (MFA) and least privilege principles to reduce the risk of credential theft and lateral movement. Maintain up-to-date threat intelligence feeds and share relevant findings with national cybersecurity centers and CERTs. Finally, conduct user awareness training to recognize spear-phishing or social engineering attempts that may serve as initial infection vectors.