LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan
Essential information
- Published
- 03/01/2026 11:05
- Modified
- 05/01/2026 11:39
- Tags
- 2026-01-03 apt backdoor browser data china cloud services cyberespionage group policy japan nosydoor nosydownloader nosyhistorian nosylogger nosystealer reversesocks5 southeast asia
- Related entities
- 10 observables, 1 intrusion sets (apt), 6 malware, 4 others
Description
ESET researchers have uncovered a new China-aligned APT group named LongNosedGoblin targeting governmental entities in Southeast Asia and Japan for cyberespionage. The group employs a varied custom toolset of C#/.NET applications and abuses Group Policy for lateral movement. Key tools include NosyHistorian for collecting browser history, NosyDoor backdoor using cloud services as C&C, and NosyStealer for exfiltrating browser data. The attackers also utilize techniques like AppDomainManager injection and AMSI bypassing. LongNosedGoblin has been active since at least September 2023, showing ongoing campaigns throughout 2024 and 2025. The research provides detailed analysis of the group's malware and tactics, including potential sharing of the NosyDoor backdoor among multiple China-aligned actors.