Cybersecurity researchers have uncovered a previously unknown China aligned threat group behind a series of cyber espionage attacks across Asia.
A new threat cluster named LongNosedGoblin has been linked to targeted attacks on government organizations in Southeast Asia and Japan. According to a report released by a cybersecurity firm, the group has been active since at least 09 2023, with the primary objective of cyber espionage.
“The end goal of these attacks is cyber espionage,” the report stated.
Researchers revealed that the group uses Windows Group Policy to distribute malware across compromised networks. It also relies on cloud platforms such as Microsoft OneDrive and Google Drive to act as command and control servers.
“LongNosedGoblin uses Group Policy to deploy malware across the compromised network, and cloud services (e.g., Microsoft OneDrive and Google Drive) as command and control (C&C) servers,” researchers Anton Cherepanov and Peter Strýček said.
Group Policy is a Windows feature used by organizations to manage system settings and permissions across multiple machines. In these attacks, it was abused to spread malware at scale within targeted environments.
The attackers deployed a custom set of tools built mainly using C# and .NET. These include NosyHistorian to collect browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox. NosyDoor acted as a backdoor using Microsoft OneDrive for command and control, allowing file theft, deletion, and shell command execution. NosyStealer was used to steal browser data and upload it to Google Drive as encrypted TAR files. NosyDownloader enabled in memory payload execution such as NosyLogger, a modified version of DuckSharp used for keystroke logging.
The activity was first detected in 02 2024 on a system belonging to a government entity in Southeast Asia. Investigators later found that Group Policy was used to spread malware across multiple systems within the same organization. The initial access method remains unknown.
Analysis showed that while many victims were infected with NosyHistorian between 01 2024 and 03 2024, only select targets received the NosyDoor backdoor. Some samples included execution guardrails to restrict use to specific machines.
Additional tools included a reverse SOCKS5 proxy, a video and audio recording utility, and a Cobalt Strike loader.
Researchers observed overlaps with other China aligned clusters but found no confirmed links. “We later identified another instance of a NosyDoor variant targeting an organization in an E.U. country,” the researchers noted. “The use of this NosyDoor variant suggests that the malware may be shared among multiple China aligned threat groups.”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
