Slovak cybersecurity firm ESET has identified LongNosedGoblin, a China-aligned threat actor, as responsible for cyberespionage attacks targeting government entities in Southeast Asia, Japan, and an EU organization. Active since at least September 2023, these attackers use Group Policy to spread malware and leverage cloud services like Microsoft OneDrive, Google Drive, and Yandex Disk for command-and-control operations.
Custom Toolset and Methods
LongNosedGoblin employs a sophisticated C#/.NET toolset, including NosyHistorian for browser-history collection and NosyDoor for backdoor access. They use cloud services for file exfiltration and command execution. Other tools include NosyStealer for browser data exfiltration to Google Drive, NosyDownloader for in-memory payload delivery, and NosyLogger, a keylogger.
- NosyHistorian collected browser histories from many victims between January and March 2024.
- NosyDoor was used on a subset of targeted systems during the same period.
- Initial activity detected by ESET in February 2024 on a Southeast Asian government system.
Tradecraft and Overlaps
ESET notes overlap in tradecraft with other known cyber groups, suggesting potential sharing or sale of malware among China-aligned actors. The group also utilizes a reverse SOCKS5 proxy, an audio/video capture tool, and a Cobalt Strike loader, demonstrating a complex and layered approach to cyber espionage.
This ongoing activity highlights the persistent threat cyber attackers pose to governmental infrastructure globally.
