Full Report
A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been attributed to a series of cyber attacks targeting governmental entities in Southeast Asia and Japan. The end goal of these attacks is cyber espionage, Slovak cybersecurity company ESET said in a report published today. The threat activity cluster has been assessed to be active since at least September 2023. "
Analysis Summary
# Threat Actor: LongNosedGoblin
## Attribution & Identity
* **Identification:** Previously undocumented China-aligned threat cluster.
* **Known Aliases:** LongNosedGoblin.
* **Associated Groups:** Shares tenuous overlaps with clusters tracked as ToddyCat and Erudite Mogwai, but definitive links are lacking. A variant of NosyDoor suggests malware may be shared with other China-aligned threat groups.
## Activity Summary
* **Initial Discovery:** ESET first detected activity in February 2024 on a system belonging to a governmental entity in Southeast Asia.
* **Activity Period:** Assessed to be active since at least September 2023.
* **Campaign Focus:** Targeted cyber espionage operations against governmental entities in Southeast Asia and Japan.
* **Initial Access:** Exact initial access methods are currently unknown.
* **Progression:** Group Policy was used to deploy malware across compromised networks. Initial infection often included `NosyHistorian` (Jan-Mar 2024), with a subset receiving the more targeted backdoor, `NosyDoor`.
* **Variants:** A variant of `NosyDoor` was identified targeting an organization in an E.U. country, utilizing Yandex Disk for C&C.
## Tactics, Techniques & Procedures
* **Initial Deployment:** Uses Windows **Group Policy** mechanism to deploy malware across the network.
* **Malware Delivery:** Employed **AppDomainManager injection** in the dropper used for the backdoor.
* **Execution Guardrails:** Some droppers contained execution guardrails limiting operation to specific victim machines.
* **C2 Infrastructure:** Utilizes cloud services like **Microsoft OneDrive** and **Google Drive** as Command and Control (C&C) servers. Also observed using **Yandex Disk** for a specific variant.
* **Custom Toolset:** Primarily consists of C#/.NET applications.
* **Lateral Movement/Persistence:** Use of a reverse **SOCKS5 proxy**.
* **Espionage Tools:** Utility used to run a **video recorder** to capture audio and video.
* **Loaders:** Use of a **Cobalt Strike loader**.
### Specific Custom Toolset:
* **NosyHistorian:** Collects browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox.
* **NosyDoor (Backdoor):** Uses Microsoft OneDrive for C&C; executes commands for file exfiltration, file deletion, and shell command execution.
* **NosyStealer:** Exfiltrates browser data from Chrome and Edge to Google Drive in an encrypted TAR archive.
* **NosyDownloader:** Downloads and runs a payload (like `NosyLogger`) in memory.
* **NosyLogger:** A modified version of **DuckSharp** used for keystroke logging.
## Targeting
* **Sectors:** Governmental entities.
* **Geography:** Southeast Asia and Japan. An additional variant targeted an organization in an E.U. country.
* **Victims:** Governmental entities; specifically detected on a system of a governmental entity in Southeast Asia.
## Tools & Infrastructure
* **Malware Families:** NosyHistorian, NosyDoor, NosyStealer, NosyDownloader, NosyLogger (modified DuckSharp). Cobalt Strike loader, Reverse SOCKS5 proxy utility.
* **Infrastructure (C2):** Microsoft OneDrive, Google Drive, Yandex Disk.
## Implications
* The threat actor demonstrates sophisticated reliance on built-in IT management tools (Group Policy) for mass malware deployment, making detection harder within the enterprise environment.
* The use of commodity cloud services (OneDrive, Google Drive, Yandex Disk) for C&C obfuscates malicious traffic.
* The observation that NosyDoor malware (or variants) might be shared or sold (due to similarities with LuckyStrike Agent) suggests a common tooling ecosystem being leveraged by multiple China-aligned groups.
* The activity is focused on high-value cyber espionage against government organizations.
## Mitigations
* Monitor for and scrutinize unusual modifications or executions via **Windows Group Policy Objects (GPOs)**, especially those deployed across multiple machines.
* Implement enhanced detection and monitoring around **AppDomainManager injection** techniques.
* Audit cloud service usage (OneDrive, Google Drive, Yandex Disk) for suspicious command/control communications or large encrypted data transfers.
* Monitor for the presence and activity of custom C#/.NET tooling and reverse SOCKS5 proxy connections.