New China-linked hacker group spies on governments in Southeast Asia, Japan

Steven

New China-linked hacker group spies on governments in Southeast Asia, Japan

Summary

A previously unknown China-aligned hacking group dubbed LongNosedGoblin by ESET has been targeting government institutions across Southeast Asia and Japan. Active since at least September 2023, the group was uncovered after ESET detected new malware in a Southeast Asian government network.

LongNosedGoblin abuses the legitimate Windows Group Policy mechanism to deploy malware and move laterally. Its toolkit centres on browser-data collection and selective backdoor deployment: NosyHistorian harvests browsing history from Chrome, Edge and Firefox to identify high-value victims, and NosyDoor acts as a backdoor on carefully chosen machines. Variants of NosyDoor have been seen in a European incident, suggesting the malware may be shared or offered commercially. Other linked tools include NosyStealer (browser-data exfiltration), NosyDownloader (in-memory payload execution) and NosyLogger (keylogging).

Key Points

  • New actor named LongNosedGoblin, linked to China, active since at least September 2023.
  • Targets government organisations in Southeast Asia and Japan, discovered after an intrusion in a Southeast Asian government network.
  • Abuses legitimate Windows Group Policy to distribute malware and achieve lateral movement across networks.
  • NosyHistorian collects browser history (Chrome, Edge, Firefox) to prioritise which victims get further compromise.
  • NosyDoor is a selective backdoor used only on certain machines; variants seen elsewhere imply possible commercial availability.
  • Additional tools: NosyStealer (exfiltrates browser data), NosyDownloader (runs payloads in memory), NosyLogger (keylogger).
  • The use of legitimate admin features and a modular toolkit increases stealth and makes defence more difficult for targeted organisations.

Context and relevance

This discovery highlights evolving tactics among China-aligned actors: abusing built-in administrative features (Group Policy) to avoid detection and using browser-data profiling to focus efforts. The apparent reuse or sale of NosyDoor indicates malware-as-a-service dynamics, raising the risk that multiple groups could adopt the same capabilities. For governments and critical infrastructure in the region, this represents an elevated espionage threat and underscores the need for hardened endpoint controls and monitoring of administrative channels.

Why should I read this?

Look — if you’re responsible for IT or security in government or related sectors, this is worth a five-minute read. These attackers aren’t just noisy ransomware kids: they quietly misuse Windows admin tools and profile users by their browser history to pick high-value targets. That cleverness makes them slippery; knowing their methods helps you spot the signs and plug the gaps sooner rather than later.

Source

Source: https://therecord.media/china-linked-hacker-group-spied-on-asian-govs