A newly identified China-aligned advanced persistent threat (APT) group, dubbed LongNosedGoblin, has been observed conducting sophisticated cyberespionage campaigns targeting governmental entities across Southeast Asia and Japan. Active since at least September 2023, this threat actor utilizes a custom toolset built on C#/.NET malware families to achieve its objectives of intelligence gathering and long-term network infiltration. Their notable tactic involves exploiting Windows Group Policy for lateral movement and the deployment of malicious payloads, effectively bypassing traditional security measures.
The group’s operations were first detected in early 2024 by Welivesecurity analysts within a Southeast Asian government network. Investigations revealed that LongNosedGoblin leveraged the compromise of Active Directory infrastructure to systematically distribute malware across multiple machines. The attackers disguised their malicious files, such as “History.ini” or “Registry.pol,” to blend seamlessly with legitimate Group Policy cache directories, underscoring their emphasis on stealth and persistence within compromised environments. The primary goal appears to be the identification and exploitation of critical assets through further compromise.
LongNosedGoblin Exploits Windows Group Policy for Malware Deployment
The strategic exploitation of Windows Group Policy by LongNosedGoblin represents a significant threat to organizational security. By gaining administrative control over the Active Directory, the group can dictate the execution of code or the installation of software on an extensive network of computers. This method allows for rapid and widespread infection without requiring individual user interaction or direct access to each endpoint. The reliance on Group Policy for malware deployment bypasses many perimeter-based security solutions that are designed to prevent initial unauthorized access.
One of the identified malware families, NosyHistorian, plays a crucial role in the intelligence gathering phase. This tool is designed to harvest browser history, enabling the attackers to identify high-value targets within the compromised network. Once such targets are identified, LongNosedGoblin can then focus its efforts on exploiting vulnerabilities or compromising critical assets associated with those individuals or departments.
NosyDoor Execution Mechanism and Evasion Tactics
The group’s primary backdoor, known as NosyDoor, exemplifies their preference for living-off-the-land techniques and the utilization of cloud-based infrastructure for command and control (C2). This approach leverages legitimate system tools and services to blend in with normal network activity, making detection more challenging for security personnel. The backdoor’s operation is characterized by a complex, three-stage execution chain designed to evade standard security product detection.
The infection process begins with a dropper component. According to Welivesecurity, this dropper decrypts embedded payloads using the Data Encryption Standard (DES) with a specific key: UevAppMo. Crucially, the dropper incorporates execution guardrails. These guardrails act as a validation mechanism, ensuring that the malware only detonates on designated victim machines, thereby minimizing accidental exposure or early detection during testing or reconnaissance phases.
Once validation is successful, the malware establishes persistence. This is achieved by creating a scheduled task that triggers the execution of a legitimate Windows binary, UevAppMonitor.exe. The attackers copy this binary from its default location in System32 to the .NET framework directory, a common practice that can sometimes be overlooked by security monitoring. The core of NosyDoor’s evasion strategy lies in its sophisticated use of AppDomainManager injection. Attackers modify the configuration file of the legitimate executable, UevAppMonitor.exe.config, to direct the application to load a malicious DLL, effectively hijacking the application’s normal execution flow.
This modified configuration file, as detailed in the analysis, instructs the application to initialize a custom domain from a DLL named SharedReg.dll. This specific DLL is designed to bypass the Antimalware Scan Interface (AMSI), a security feature in Windows that helps detect and block malicious code. Following the AMSI bypass, SharedReg.dll then decrypts the final NosyDoor payload, which is the functional backdoor. This multi-stage approach, involving legitimate executables, custom DLLs, and AMSI evasion, demonstrates a high level of technical sophistication.
Upon successful decryption and execution, the backdoor retrieves its configuration. This decrypted configuration, often stored in files like “log.cached,” allows NosyDoor to establish communication. Its command and control infrastructure leverages Microsoft OneDrive. This choice of cloud service for C2 is a common tactic among APT groups, as it can be difficult to distinguish malicious traffic from legitimate cloud storage usage. The communication involves RSA-encrypted metadata, concealing the actual commands which are stored in task files within OneDrive. This method allows for both encrypted communication and a dynamic way for the attackers to issue commands to compromised machines.
The ongoing activity of LongNosedGoblin highlights the evolving tactics of China-aligned APT groups. Their mastery of Windows Group Policy and their use of custom, evasive malware like NosyDoor present a persistent threat to sensitive government networks in the Asia-Pacific region. Organizations in these areas should strengthen their Active Directory security, monitor Group Policy changes closely, and ensure their endpoint detection and response (EDR) solutions are up-to-date to counter such sophisticated attacks.