Listen to this Post
Introduction: A Trusted Windows Feature Turned Into a Spy Tool
Cyber-espionage campaigns rarely succeed by brute force alone. The most effective operations hide in plain sight, blending into normal enterprise activity until detection becomes exceptionally difficult. A newly identified threat actor, tracked as LongNosedGoblin, demonstrates this strategy with alarming precision. According to ESET researchers, the group has been quietly operating since at least September 2023, targeting government institutions across Southeast Asia and Japan. What sets this campaign apart is its creative abuse of Windows Group Policy, a legitimate administrative feature, as a malware delivery and lateral movement mechanism.
Summary of the Original Findings: How LongNosedGoblin Operates
ESET uncovered the LongNosedGoblin operation in February 2024 after detecting previously unseen malware embedded inside a Southeast Asian government network. The compromise was not the result of common phishing or exploit chains, but rather a calculated abuse of Active Directory Group Policy, allowing attackers to distribute malware across multiple systems with administrative trust already established.
The investigation revealed a collection of custom tools, most of them written in C and .NET, designed for long-term cyber-espionage rather than disruption. The most important implant, named NosyDoor, functions as a backdoor that uses Microsoft OneDrive as its command-and-control infrastructure. By relying on a trusted cloud service, the malware avoids drawing attention from network monitoring tools.
NosyDoor operates through a three-stage execution chain. First, a malicious dropper is disguised as a Registry Policy file. Next, it abuses AppDomainManager injection via the legitimate Windows binary UevAppMonitor.exe, allowing malicious code to run under a trusted process. Finally, an encrypted payload is deployed, enabling persistence and covert communication.
Supporting tools expand the group’s intelligence-gathering capabilities. NosyHistorian collects browser history from Chrome, Edge, and Firefox to identify systems of strategic interest. NosyStealer exfiltrates browser data to Google Drive using official cloud APIs. NosyDownloader, a PowerShell-based loader, runs entirely in memory while bypassing the Antimalware Scan Interface (AMSI). NosyLogger, a C keylogger inspired by open-source projects, records keystrokes and clipboard data, encrypting logs with AES before storage or exfiltration.
ESET observed that LongNosedGoblin demonstrates a high level of operational discipline. Some malware variants include execution guardrails that only activate on pre-selected machines, reducing the risk of exposure. The group heavily relies on living-off-the-land binaries (LOLBins), executing malicious payloads inside legitimate Windows processes to blend seamlessly with normal system activity.
Attribution analysis links LongNosedGoblin to China-aligned threat actors, based on infrastructure overlaps, code similarities, and regional targeting. While some elements resemble known clusters such as ToddyCat, the systematic abuse of Group Policy stands out as a unique hallmark. Throughout 2024, the group continued refining its toolset, introducing additional loaders like oci.dll and mscorsvc.dll, potentially associated with Cobalt Strike beacons delivered through Group Policy mechanisms.
ESET emphasized that this campaign highlights a growing trend: attackers increasingly repurpose cloud services and enterprise management tools for stealthy espionage. The company released indicators of compromise and malware samples publicly to assist defenders worldwide.
What Undercode Say: Why This Campaign Matters More Than It Appears
Group Policy as a Silent Weapon
The abuse of Windows Group Policy is not just a technical curiosity—it represents a strategic shift. Group Policy is inherently trusted inside enterprise environments. Security teams rarely expect it to act as a malware distribution channel, which gives attackers a powerful advantage once domain-level access is achieved.
Cloud Infrastructure as Camouflage
Using OneDrive and Google Drive for command-and-control and data exfiltration reflects a broader trend in state-sponsored espionage. Traffic to these services is usually allowed, logged as normal business activity, and often excluded from deep inspection, making detection far more difficult.
Precision Over Scale
LongNosedGoblin is not a noisy threat actor. The presence of execution guardrails shows that this group values precision targeting over mass compromise. This approach aligns with intelligence-driven espionage rather than financially motivated cybercrime.
Living Off the Land to the Extreme
While LOLBins have been abused for years, embedding payload execution inside legitimate binaries like UevAppMonitor.exe raises the bar. This technique allows malware to inherit trust, evade signature-based detection, and persist without obvious artifacts.
AMSI Bypass Signals Advanced Tradecraft
The use of in-memory PowerShell loaders that bypass AMSI indicates deep familiarity with Windows internals. This is not opportunistic malware development; it is deliberate engineering aimed at long-term stealth.
Browser Intelligence as Target Validation
Tools like NosyHistorian reveal how the group prioritizes intelligence value. By analyzing browser history, attackers can determine which systems belong to decision-makers, analysts, or administrators, refining their espionage focus.
China-Aligned Strategy Patterns
The geographic focus on Southeast Asia and Japan aligns with long-standing regional intelligence priorities. Combined with tooling similarities to other China-linked clusters, the campaign fits into a broader strategic context rather than an isolated operation.
Enterprise Tools Are the New Attack Surface
This campaign reinforces a hard truth: enterprise management frameworks and cloud platforms are becoming the most attractive attack surfaces. Defenders can no longer assume that “legitimate” equals “safe.”
Detection Requires Behavioral Thinking
Signature-based defenses struggle against threats like LongNosedGoblin. Behavioral analysis, Group Policy auditing, and anomaly detection around cloud API usage are becoming essential.
Transparency Benefits the Ecosystem
ESET’s decision to publish indicators of compromise and samples strengthens collective defense. Public reporting remains one of the most effective countermeasures against advanced persistent threats.
A Warning for Government Networks
For government and critical infrastructure operators, this campaign serves as a reminder that internal trust mechanisms must be monitored as aggressively as external attack vectors.
Fact Checker Results
Verification of Attribution and Techniques
✅ LongNosedGoblin attribution to China-aligned actors is supported by code and infrastructure overlaps.
✅ Abuse of Windows Group Policy is confirmed through forensic evidence.
❌ No public evidence currently links the group to destructive or financially motivated attacks.
Prediction
Where LongNosedGoblin and Similar APTs Are Heading
🔮 More APT groups will adopt Group Policy and cloud services as primary malware delivery channels.
🔮 Detection tools will increasingly focus on policy abuse and trusted process anomalies.
🔮 Governments in Asia will accelerate zero-trust and internal monitoring reforms in response.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




