Chinese APT ‘LongNosedGoblin’ Targeting Asian Governments

A newly identified advanced persistent threat (APT) actor operating out of China has been targeting government entities across Southeast Asia and Japan, ESET reports.

Active since at least September 2023, the hacking group is tracked as LongNosedGoblin, and stands out for the use of Group Policy to deploy malware and move laterally within the compromised networks.

One of the main tools in LongNosedGoblin’s arsenal is a C#/.NET application dubbed NosyHistorian, which allows the attackers to collect browser history from their victims.

Should the target prove of interest, the APT then deploys the NosyDoor backdoor, which was seen using Microsoft OneDrive for command-and-control (C&C).

The backdoor uses a living-off-the-land technique called AppDomainManager injection during its execution chain, while other LongNosedGoblin tools can bypass the Antimalware Scan Interface (AMSI).

The threat actor’s toolset also includes NosyStealer, for browser data exfiltration, NosyDownloader, to fetch payloads and execute them in memory ...