Attempts to sniff out governmental affairs in Southeast Asia and Japan

Dec. 21, 2025, 11:07 p.m.

Description

A newly discovered China-aligned APT group named LongNosedGoblin has been targeting governmental entities in Southeast Asia and Japan for cyberespionage purposes. The group employs a varied custom toolset consisting mainly of C#/.NET applications and notably uses Group Policy to deploy malware and move laterally across compromised networks. Their main tools include NosyHistorian for collecting browser history, NosyDoor backdoor using cloud services as C&C, and NosyStealer for exfiltrating browser data. The group has been active since at least September 2023 and uses techniques like AMSI bypassing and living-off-the-land tactics. LongNosedGoblin's campaigns involve multiple stages of execution and various malware components, showcasing a sophisticated approach to cyber espionage operations.

External References

https://otx.alienvault.com/pulse/69457bc9ca97fde0a0f01d2c
https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan
Tags
apt
cyberespionage
custom malware
cloud services
japan
southeast asia
china-aligned
2025-12-19
group policy
nosydoor
nosydownloader
nosyhistorian
nosylogger
nosystealer

Date

  • Created: Dec. 19, 2025, 4:22 p.m.
  • Published: Dec. 19, 2025, 4:22 p.m.
  • Modified: Dec. 21, 2025, 11:07 p.m.

Indicators

  • d53fcc01038e20193fbd51b7400075cf7c9c4402b73da7b0db836b000ebd8b1c
  • 38.54.17.131
  • 101.99.88.188
  • 118.107.234.29
  • 118.107.234.26
  • 101.99.88.113
Download all indicators here!

Attack Patterns

  • NosyDownloader
  • NosyDoor
  • NosyStealer
  • NosyHistorian
  • NosyLogger
  • LongNosedGoblin

Additional Informations

  • Government
  • newso.com
  • dev0-411506.iam.gserviceaccount.com
  • policy-my.com
  • 40dev0-411506.iam.gserviceaccount.com
  • Japan