A newly identified advanced persistent threat (APT) actor operating out of China has been targeting government entities across Southeast Asia and Japan, ESET reports.
Active since at least September 2023, the hacking group is tracked as LongNosedGoblin, and stands out for the use of Group Policy to deploy malware and move laterally within the compromised networks.
One of the main tools in LongNosedGoblin’s arsenal is a C#/.NET application dubbed NosyHistorian, which allows the attackers to collect browser history from their victims.
Should the target prove of interest, the APT then deploys the NosyDoor backdoor, which was seen using Microsoft OneDrive for command-and-control (C&C).
The backdoor uses a living-off-the-land technique called AppDomainManager injection during its execution chain, while other LongNosedGoblin tools can bypass the Antimalware Scan Interface (AMSI).
The threat actor’s toolset also includes NosyStealer, for browser data exfiltration, NosyDownloader, to fetch payloads and execute them in memory, the NosyLogger keylogger, a reverse SOCKS5 proxy, and an argument runner for application execution.
In a fresh wave of attacks observed since September 2025, the hacking group was seen using Group Policy to deliver NosyHistorian and a potential Cobalt Strike loader.
According to ESET, the APT relies on NosyHistorian to gather Chrome, Firefox, and Edge data from the compromised machines, to determine whether additional payloads should be deployed.
Only a small subset of victims was compromised with the NosyDoor backdoor, to collect metadata about the infected system, including machine name, username, OS version, and the current process.
Based on commands received from the C&C, the malware can download and upload files, delete files, execute shell commands, list directories, and load .NET assemblies.
LongNosedGoblin was seen using NosyStealer to exfiltrate Chrome and Edge data to Google Drive, and likely used NosyDownloader to deploy NosyLogger, the open source reverse SOCKS5 proxy ReverseSocks5, and an argument runner.
LongNosedGoblin, ESET notes, is focused on cyberespionage. The group’s targeting overlaps with ToddyCat, while its tooling resembles that of Erudite Mogwai.
ESET, which says there are definite differences in TTPs between LongNosedGoblin and Erudite Mogwai, discovered a NosyDoor variant likely used by multiple China-aligned threat actors.
Related: China-Linked Hackers Exploiting Zero-Day in Cisco Security Gear
Related: Google Sees 5 Chinese Groups Exploiting React2Shell for Malware Delivery
Related: US Organizations Warned of Chinese Malware Used for Long-Term Persistence
Related: Chinese Cyberspies Deploy ‘BadAudio’ Malware via Supply Chain Attacks
