top of page
perceptive_background_267k.jpg

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

Published:

18 December 2025 at 17:34:00

Alert date:

18 December 2025 at 18:04:12

Source:

thehackernews.com

Click to open the original link from this advisory

Operating Systems, Ransomware & Malware, Data Breach & Exfiltration

A previously undocumented China-aligned threat cluster called LongNosedGoblin has been conducting cyber espionage attacks against governmental entities in Southeast Asia and Japan. The group uses Windows Group Policy to deploy espionage malware and has been active since at least September 2023. ESET researchers identified this new threat activity cluster targeting government organizations for intelligence gathering purposes. The attacks demonstrate sophisticated techniques leveraging legitimate Windows infrastructure for malicious purposes.

Technical details

LongNosedGoblin uses Windows Group Policy to deploy malware across compromised networks and leverages cloud services like Microsoft OneDrive and Google Drive as command and control servers. The threat group employs a custom toolset consisting of C#/.NET applications including NosyHistorian for browser history collection, NosyDoor backdoor using OneDrive as C&C, NosyStealer for browser data exfiltration to Google Drive, NosyDownloader for payload deployment, and NosyLogger for keystroke logging based on DuckSharp. The group uses AppDomainManager injection and execution guardrails to limit operations to specific victim machines. Additional tools include reverse SOCKS5 proxy, video/audio recording utilities, and Cobalt Strike loader.

Mitigation steps:

Monitor for unusual Group Policy deployments across networks, watch for suspicious activities involving cloud storage services as C&C channels, implement detection for C#/.NET malware variants, monitor browser data access patterns, watch for AppDomainManager injection techniques, and implement network monitoring for reverse SOCKS5 proxy usage.

Affected products:

Windows Group Policy
Google Chrome
Microsoft Edge
Mozilla Firefox
Microsoft OneDrive
Google Drive
Yandex Disk

Related links:

https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-policy/group-policy-overview
https://github.com/zorggomat/DuckSharp
https://thehackernews.com/2025/11/microsoft-detects-sesameop-backdoor.html
https://thehackernews.com/2025/11/toddycats-new-hacking-tools-steal.html
https://thehackernews.com/2025/02/space-pirates-targets-russian-it-firms.html
https://web.archive.org/web/20250803114940/https:/rt-solar.ru/solar-4rays/blog/5603/

Related CVE's:

Related threat actors:

IOC's:

NosyHistorian, NosyDoor, NosyStealer, NosyDownloader, NosyLogger, LuckyStrike Agent, PDB path containing 'Paid Version'

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page