LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan

Jan. 5, 2026, 11:39 a.m.

Description

ESET researchers have uncovered a new China-aligned APT group named LongNosedGoblin targeting governmental entities in Southeast Asia and Japan for cyberespionage. The group employs a varied custom toolset of C#/.NET applications and abuses Group Policy for lateral movement. Key tools include NosyHistorian for collecting browser history, NosyDoor backdoor using cloud services as C&C, and NosyStealer for exfiltrating browser data. The attackers also utilize techniques like AppDomainManager injection and AMSI bypassing. LongNosedGoblin has been active since at least September 2023, showing ongoing campaigns throughout 2024 and 2025. The research provides detailed analysis of the group's malware and tactics, including potential sharing of the NosyDoor backdoor among multiple China-aligned actors.

External References

https://otx.alienvault.com/pulse/6958f815aa5cbfe2f0a8d82d
https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/
Tags
backdoor
apt
china
cyberespionage
cloud services
japan
southeast asia
browser data
group policy
nosydoor
nosydownloader
nosyhistorian
nosylogger
nosystealer
2026-01-03
reversesocks5

Date

  • Created: Jan. 3, 2026, 11:05 a.m.
  • Published: Jan. 3, 2026, 11:05 a.m.
  • Modified: Jan. 5, 2026, 11:39 a.m.

Indicators

  • d53fcc01038e20193fbd51b7400075cf7c9c4402b73da7b0db836b000ebd8b1c
  • 38.54.17.131
  • 101.99.88.188
  • 118.107.234.29
  • 118.107.234.26
  • 101.99.88.113
  • www.sslvpnserver.com
  • www.privacypolicy-my.com
  • www.blazenewso.com
  • www.threadstub.com
Download all indicators here!

Attack Patterns

  • NosyDownloader
  • ReverseSocks5
  • NosyDoor
  • NosyStealer
  • NosyHistorian
  • NosyLogger
  • LongNosedGoblin

Additional Informations

  • Government and administrations
  • dev0-411506.iam.gserviceaccount.com
  • 40dev0-411506.iam.gserviceaccount.com
  • Japan