A newly identified China-aligned advanced persistent threat (APT), tracked as LongNosedGoblin, has been conducting cyber-espionage operations against government entities in Southeast Asia and Japan. According to ESET, the group abuses legitimate Windows administrative mechanisms—most notably Group Policy—to deploy malware, move laterally, and selectively escalate operations. The campaign demonstrates a measured, intelligence-driven approach focused on persistence and stealth rather than disruption.

State-aligned threat actors increasingly favor “living-off-the-land” techniques that blend into normal enterprise operations. By leveraging native tools already present in Windows environments, attackers reduce the likelihood of detection and complicate incident response. LongNosedGoblin fits squarely into this trend, targeting government networks where centralized management infrastructure is common and highly trusted.

ESET reports that LongNosedGoblin has been active since at least September 2023, with a renewed wave of activity observed beginning in September 2025. The group primarily targets government organizations, deploying malware through Group Policy Objects (GPOs) once administrative access is obtained.

Initial infections typically involve a reconnaissance tool called NosyHistorian, which collects browser history data to assess victim value. Only a subset of compromised systems is later escalated with more capable backdoors, indicating deliberate victim selection rather than broad opportunistic infection.

LongNosedGoblin’s toolchain is modular and selectively deployed.

NosyHistorian, a C#/.NET application, harvests browsing data from Chrome, Firefox, and Edge to guide follow-on actions.

For higher-value targets, the group deploys NosyDoor, a backdoor that uses Microsoft OneDrive as a command-and-control channel. NosyDoor relies on AppDomainManager injection, a lesser-known execution technique that enables stealthy code loading within .NET applications.

Additional tools observed include NosyStealer for browser data exfiltration, NosyDownloader for in-memory payload execution, NosyLogger for keystroke capture, and a reverse SOCKS5 proxy for network tunneling. Some components can bypass Windows’ Antimalware Scan Interface (AMSI), further reducing detection.

The campaign appears narrowly focused on intelligence collection rather than sabotage. Compromised systems can be used to exfiltrate sensitive credentials, internal communications, and metadata useful for long-term espionage operations.

The abuse of Group Policy is particularly concerning, as it allows attackers to deploy malware at scale once domain-level access is achieved, effectively turning trusted IT infrastructure into a delivery mechanism.

This activity highlights how administrative trust relationships can become liabilities when compromised. Group Policy is designed to simplify enterprise management, but when abused, it enables silent, organization-wide compromise.

The campaign also underscores the growing sophistication of China-aligned cyber-espionage, where tooling overlaps across multiple groups and attribution becomes increasingly complex.

ESET notes that LongNosedGoblin’s targeting and techniques overlap with known China-aligned groups such as ToddyCat and Erudite Mogwai, though clear differences in tactics, techniques, and procedures (TTPs) suggest it operates as a distinct entity.

The discovery of a NosyDoor variant shared across multiple actors further supports the idea of tool reuse within China’s broader cyber-espionage ecosystem.