China-Aligned APT Exploiting Windows Group Policy for Malware Deployment.

Overview

Security researchers have identified an emerging China-aligned advanced persistent threat (APT) cluster, tracked as LongNosedGoblin, actively engaging in cyber-espionage against governmental networks in Southeast Asia and Japan. The threat actor has been operating since at least September 2023, leveraging Windows Group Policy mechanisms to propagate malware across domain-joined hosts after gaining internal access. This abuse of legitimate administrative infrastructure allows stealthy lateral movement and persistent control of compromised environments. LongNosedGoblin employs a suite of custom C#/.NET malware tools for reconnaissance, keylogging, data theft, and backdoor access. They also use legitimate cloud services (e.g., Microsoft OneDrive, Google Drive) for command-and-control (C2), blending malicious traffic with normal activity to evade detection.

Who It Affects

• Government and public sector entities, particularly in Southeast Asia and Japan, based on observed targeting.
• Windows domain-joined enterprise networks that utilize Active Directory and Group Policy for managing configurations and software deployment.
• Organizations with insufficient monitoring or auditing of Group Policy changes and internal lateral movement detection are especially at risk.

How It Affects You

Once an attacker obtains initial access to a domain-joined environment, they:

Abuse Windows Group Policy to silently deploy malicious payloads to multiple systems.
Install custom espionage-focused tools to harvest data (e.g., browser history), log keystrokes, and maintain backdoor access.
Use cloud storage platforms (e.g., OneDrive, Google Drive) as C2 infrastructure to blend with legitimate traffic and avoid detection.
Potentially leverage legitimate penetration testing frameworks (e.g., Cobalt Strike) alongside custom tools for additional capabilities.

Impact includes unauthorized data access and exfiltration, persistent foothold in internal environments, and compromised host integrity.

Targeted Products / Versions

• Microsoft Windows domain environments using Active Directory and Group Policy Objects (GPOs).
There are no specific software version vulnerabilities cited; rather, the threat actor abuses legitimate administrative capabilities within Group Policy for malware propagation after initial compromise.

IOCs (Indicators of Compromise)

The public reports do not provide confirmed hashes or network indicators tied directly to this campaign, but referenced tooling includes:

Observed Malware Components:

NosyHistorian – Browser history collection and reconnaissance.
NosyDoor – Backdoor using cloud services for C2.
NosyStealer – Browser data exfiltration via cloud platforms.
NosyDownloader – Payload downloader.
NosyLogger – Keystroke logging (modified DuckSharp based).

Recommendations:

Immediate Actions

Audit Group Policy Changes: Enable logging and alerting on creation or modification of Group Policy Objects (GPOs). Additionally, investigate unexpected GPO modifications or deployments that push software or scripts.
Monitor Cloud Service Usage: Watch for unusual traffic to cloud storage endpoints (OneDrive, Google Drive) for non-standard patterns.
Enhance Detection Capabilities: Use Endpoint Detection and Response (EDR) tools to detect lateral movement and suspicious process execution. Look for use of living-off-the?land binaries (LOLBins) and anomalous PowerShell or .NET behavior.
Network Segmentation & Least Privilege: Restrict administrative privileges and separate sensitive domains from general user environments.

Long-Term Controls

Regularly review and tighten Active Directory security and implement zero-trust controls.
Keep security awareness training up to date to reduce the risk of initial access via social engineering or credential compromise.

References: