PROBABLYPWNED
Threat IntelligenceDecember 19, 20255 min read

LongNosedGoblin: New China-Aligned APT Abuses Group Policy for Espionage

ESET researchers discover sophisticated threat actor targeting Southeast Asian and Japanese governments using Windows Group Policy for lateral movement.

Alex Kowalski

ESET researchers have uncovered a previously unknown China-aligned advanced persistent threat group conducting cyberespionage operations against government entities across Southeast Asia and Japan. The group, dubbed LongNosedGoblin, distinguishes itself through creative abuse of Windows Group Policy for malware deployment and lateral movement.

TL;DR

  • What happened: New China-linked APT group discovered targeting government networks with custom espionage tools
  • Who's affected: Government organizations in Southeast Asia and Japan; one EU country also targeted
  • Severity: High - sophisticated toolset designed for long-term intelligence collection
  • Action required: Government agencies should audit Group Policy for unauthorized modifications and monitor cloud service C2 channels

What is LongNosedGoblin?

LongNosedGoblin is a newly discovered China-aligned APT group that has been active since at least September 2023. ESET researchers first detected the group while investigating suspicious activity inside a Southeast Asian government network in 2024, where they uncovered previously undocumented malware deployed across multiple machines simultaneously.

The group's defining characteristic is its abuse of Windows Group Policy—the standard mechanism for managing settings and permissions across Windows networks using Active Directory. By compromising AD infrastructure, LongNosedGoblin distributes malicious payloads to networked machines in ways that bypass traditional perimeter defenses.

How LongNosedGoblin Operates

Group Policy Abuse

When investigators analyzed the compromised government network, they found multiple machines infected simultaneously via Group Policy updates. The attackers disguised their malware as legitimate policy files—such as History.ini or Registry.pol—to blend into the Group Policy cache directories.

This technique offers several advantages:

  1. Trusted delivery mechanism - Group Policy updates are expected behavior in enterprise environments
  2. Wide distribution - Single policy can deploy malware across hundreds of machines
  3. Persistence - Policies reapply regularly, ensuring malware survives reboots
  4. Stealth - Policy files in cache directories attract minimal scrutiny

Cloud-Based Command and Control

LongNosedGoblin uses legitimate cloud services—specifically Microsoft OneDrive and Google Drive—as command and control servers. This approach allows malicious traffic to blend with normal business communications and evade network monitoring focused on suspicious domains.

A variant of the group's primary backdoor was also observed using Yandex Disk as a C2 server, targeting an organization in an EU country.

The NosyTools Malware Family

LongNosedGoblin employs a sophisticated toolkit of custom malware, all following a "Nosy" naming convention:

NosyHistorian

An information-gathering module that collects browser history to help operators decide where to deploy additional malware. Functions as initial reconnaissance before deeper compromise.

NosyDoor

The group's primary backdoor, which relies heavily on living-off-the-land techniques and cloud-based command and control infrastructure. Designed for persistent access and data exfiltration.

NosyStealer

Targets browser data stored in Microsoft Edge and Google Chrome, extracting saved credentials, cookies, and browsing data.

NosyDownloader

Handles payload delivery by executing obfuscated commands and loading additional malware directly into memory, avoiding disk-based detection.

NosyLogger

A keylogger built in C# and .NET, assessed as a modified version of the open-source DuckSharp project. Captures keystrokes for credential theft.

Why This Matters

LongNosedGoblin represents the continued evolution of China-aligned espionage capabilities. The group's targeting of government entities in Southeast Asia and Japan aligns with known Chinese intelligence priorities in the region.

The abuse of Group Policy for malware distribution is particularly concerning because:

  • Domain compromise implications - Successful Group Policy abuse requires significant Active Directory access
  • Detection challenges - Distinguishing malicious policy updates from legitimate ones requires deep visibility
  • Scale potential - A single compromised AD environment enables organization-wide malware deployment

Possible Connections to Other Groups

ESET identified similarities between LongNosedGoblin's NosyDoor backdoor and tools used by Erudite Mogwai, a group documented by Russian cybersecurity company Solar in June 2025. However, researchers cannot confirm the two groups are identical due to definite differences in tactics, techniques, and procedures.

The potential tool sharing suggests either a common developer, shared resources among Chinese APT groups, or independent evolution toward similar solutions.

Recommended Mitigations

  1. Audit Group Policy - Review all Group Policy Objects for unauthorized modifications, particularly new scheduled tasks or startup scripts
  2. Monitor AD changes - Implement alerting on Group Policy modifications, especially those affecting security settings
  3. Cloud service monitoring - Track unusual patterns in OneDrive, Google Drive, and other cloud storage access
  4. Endpoint detection - Deploy EDR solutions capable of detecting living-off-the-land techniques
  5. Browser security - Consider browser isolation or enterprise browser management to protect stored credentials

Frequently Asked Questions

How do I detect Group Policy abuse? Monitor for unexpected GPO modifications, particularly changes to machine startup scripts, scheduled tasks, or software installation policies. Compare current GPOs against known-good baselines and investigate any discrepancies.

Are commercial organizations at risk? While LongNosedGoblin appears focused on government targets, the techniques are applicable to any Windows domain environment. Organizations with business in targeted regions or government relationships should consider themselves potential targets.

What makes this group different from other Chinese APTs? The systematic abuse of Group Policy for malware distribution is LongNosedGoblin's distinguishing characteristic. While other groups occasionally use this technique, LongNosedGoblin has made it central to their operational methodology.

Sources: ESET WeLiveSecurity, Help Net Security, GlobeNewswire

Related Articles

Threat Intelligence4 min read

Cisco Talos Exposes UAT-7290: China APT Targeting Telecoms

Newly disclosed threat actor compromises telecom providers in South Asia and Southeastern Europe, establishing relay infrastructure for other Chinese APT groups.

Jan 8, 2026
Threat Intelligence4 min read

Silver Fox APT Impersonates Indian Tax Officials in Espionage Campaign

CloudSEK identifies Chinese threat group Silver Fox targeting Indian organizations with phishing emails disguised as income tax department communications.

Dec 31, 2025
Threat Intelligence4 min read

China-Linked Ink Dragon APT Targets European Governments with ShadowPad

Sophisticated threat group escalates operations against European government entities using relay networks that route attacks through multiple victim organizations.

Dec 17, 2025
Nation State4 min read

Silk Typhoon: Chinese APT Escalates Attacks on US Government and IT Supply Chain

Microsoft and CrowdStrike warn of intensified Silk Typhoon operations targeting US government agencies and IT supply chains, with 150% increase in China-linked intrusions.

Jan 6, 2026