LongNosedGoblin is a newly documented Advanced Persistent Threat (APT) group aligned with Chinese state interests. First detailed by ESET research in December 2025, the group has been active since at least September 2023, with a significant surge in operations observed in late 2025.

The group distinguishes itself not through novel zero-days, but through the clever abuse of legitimate administrative infrastructure—specifically Windows Group Policy—to deploy malware at scale across compromised networks.

Victimology

The group’s targeting is highly specific and aligns with geopolitical espionage objectives.

• Primary Region: Southeast Asia and Japan.
• Primary Sector: Government institutions.
• Objective: Cyberespionage and long-term surveillance.

Tactics, Techniques, and Procedures (TTPs)

1. Lateral Movement: Group Policy Abuse

The defining characteristic of LongNosedGoblin is its reliance on Group Policy Objects (GPOs) for lateral movement.

• Mechanism: Once initial administrative access is gained (or via compromised credentials), the group creates malicious GPOs to push malware payloads to networked machines.
• Camouflage: Malicious binaries are often disguised as benign configuration files. For example, the NosyHistorian tool was deployed under the filename History.ini to blend in with legitimate Group Policy cache files, despite actually being a portable executable (PE).

2. Reconnaissance-First Approach (The “Sniffing” Phase)

Unlike “smash-and-grab” operations, LongNosedGoblin employs a quiet, two-stage infection logic:

1. Mass Deployment: They deploy a lightweight tool called NosyHistorian to a wide range of machines via Group Policy.
2. Triage: This tool harvests browser history from Chrome, Edge, and Firefox. The operators analyze this data to identify high-value targets (e.g., users accessing classified portals).
3. Selective Compromise: Only the “interesting” targets are then infected with the full-featured backdoor (NosyDoor), minimizing the noise and risk of detection.

3. Command and Control (C2): Cloud Abuse

The group heavily utilizes “Dead Drop Resolvers” and legitimate cloud services to mask their C2 traffic.

• Platforms Used: Microsoft OneDrive, Google Drive, and Yandex Disk.
• Method: The malware uploads stolen data to, and retrieves commands from, specific cloud storage accounts, making the traffic indistinguishable from legitimate enterprise network activity.

Malware Arsenal

LongNosedGoblin utilizes a custom modular toolkit, primarily written in C#/.NET:

• NosyHistorian: A reconnaissance tool that extracts and exfiltrates browser history.
• NosyDoor: The group’s primary backdoor. It features:
  • AppDomainManager Injection: A “Living off the Land” technique used to execute malicious code within the context of a legitimate .NET application.
  • AMSI Bypass: Capabilities to disable the Antimalware Scan Interface.
  • Functionality: File exfiltration, shell command execution, and file deletion.
• NosyStealer: A dedicated module for stealing credentials and cookies from Chromium-based browsers.
• NosyLogger: A keylogger believed to be a modified version of the open-source tool DuckSharp.
• Cobalt Strike: The group has been observed deploying oci.dll loaders to execute Cobalt Strike beacons for advanced post-exploitation.

Indicators of Compromise (IOCs)

File Artifacts

• Filenames: History.ini (Malicious PE dropped via GPO), oci.dll, mscorsvc.dll.
• Payload Names: ocapi.edb, conf.ini.

Network Indicators

• Traffic: Unexpected high-volume traffic to personal cloud storage APIs (OneDrive/Google Drive) from server subnets.
• Lateral Movement: SMB traffic originating from Domain Controllers pushing executable files to endpoints (consistent with GPO software installation tasks).

Behavioral Indicators

• Process Execution: svchost.exe or legitimate .NET applications spawning unexpected child processes (due to AppDomainManager injection).
• Registry: Modifications to HKLM\SOFTWARE\Microsoft\.NETFramework to facilitate the AppDomainManager hijacking.