Sniffing Around: Unmasking the LongNosedGoblin operation in Southeast Asia and Japan
In this talk, we will present a detailed case study of a cyberespionage campaign that we uncovered targeting organizations in Southeast Asia and Japan. We attribute this campaign to the LongNosedGoblin threat actor, which has been active since at least 2023.
Our research reveals how LongNosedGoblin leverages Active Directory Group Policy to deliver custom malware across numerous workstations within compromised environments. One such payload, dubbed NosyHistorian, is a lightweight infostealer, designed to collect browser history, likely to help identify high-value targets within the affected organizations. Following this reconnaissance phase, the attackers deployed more advanced backdoors and data exfiltration tools. For instance, they used a full-featured backdoor we named NosyDoor, which leverages the Microsoft OneDrive service for command-and-control (C&C) communications and includes functionality to bypass the Antimalware Scan Interface (AMSI).
During our presentation, we will deliver an in-depth analysis of the custom malware arsenal and the TTPs (tactics, techniques, and procedures) employed by this APT group. We will also detail our attribution process and explore potential links and overlaps with other threat actors operating in the region.
Anton Cherepanov – ESET
Anton Cherepanov is a Senior Malware Researcher at ESET, responsible for analyzing and hunting the most complex cyber threats. He has conducted extensive research on the Sandworm APT group. Anton has presented his findings at numerous international conferences, including Black Hat USA, Virus Bulletin, and CYBERWARCON. His professional interests include reverse engineering and hunting for previously unknown threats.
Peter Strýček – ESET
Peter Strýček is a Malware Researcher at ESET who enjoys reverse engineering and analyzing complex threats. He has a particular interest in analyzing malware targeting platforms such as Linux and macOS.