China-backed APT 'LongNosedGoblin' Penetrates Asian Governments via Group Policy Abuse
Executive Summary
In late 2025, cybersecurity researchers uncovered a sophisticated cyber-espionage campaign targeting multiple Southeast Asian and Japanese government entities, attributed to a new China-backed advanced persistent threat (APT) group known as LongNosedGoblin. Active since at least 2023, the group leveraged privileged access to Windows environments—specifically abusing legitimate Group Policy mechanisms to deploy malicious payloads, conduct lateral movement, and gain deep persistence within victim networks. Once entrenched, the attackers deployed a range of custom C#/.NET tools, including keyloggers, data exfiltration malware, and backdoor implants (NosyDoor), often using cloud services for command and control communications. The campaign highlights the risk of domain administrator credential compromise, allowing broad control across entire agency infrastructures. Fewer than a dozen victims were confirmed, but the attacks signify a moderate level of operator sophistication.
This incident signals a shift in APT tactics toward leveraging built-in administrative utilities for stealthy malware distribution and lateral escalation, reducing detection risk. Use of cloud-based C2 and tailored tooling further complicate response and attribution, illustrating the urgency for proactive identity management and defense-in-depth protections across government and enterprise networks.
Why This Matters Now
This breach underscores the escalating trend of APTs abusing legitimate IT administration tools—such as Group Policy—for covert lateral movement and malware deployment. With geopolitical tension in Asia rising and governments a high-value target, robust identity controls, real-time east-west traffic inspection, and zero trust segmentation have become urgent priorities.
Attack Path Analysis
LongNosedGoblin likely gained initial access to Southeast Asian and Japanese government networks via compromised domain admin credentials or spearphishing, then escalated privileges to control Domain Controllers and deploy malware through Group Policy. Using these privileges, the attackers moved laterally via legitimate Windows administration tools, spreading custom malware like NosyHistorian and NosyDoor. Persistent command and control was established using cloud-based services such as Microsoft OneDrive to exfiltrate data and receive instructions. Sensitive data was exfiltrated via these backdoors and reverse proxies, leveraging stealth and encrypted channels. The overall objective was espionage, resulting in prolonged stealthy access and data theft rather than destructive actions.
Kill Chain Progression
Initial Compromise
Description
Attacker obtained access to the government network, likely via spearphishing or credential theft, acquiring privileged Active Directory credentials.
Related CVEs
CVE-2025-50165
CVSS 9.8A critical vulnerability in Windows Imaging Component allows remote code execution via specially crafted JPG files.
Affected Products:
Microsoft Windows Imaging Component – All versions prior to patch
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
The above MITRE ATT&CK techniques reflect key tactics observed in similar APT campaigns and support initial SEO/filtering use; later iterations may be enhanced with full enrichment.
Valid Accounts: Domain Accounts
Domain Policy Modification: Group Policy Modification
Ingress Tool Transfer
Application Layer Protocol: Web Protocols
Command and Scripting Interpreter: PowerShell
Screen Capture
Data from Local System
Obfuscated Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Unique Authentication Credentials
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 9
CISA ZTMM 2.0 – Privileged Account Protection
Control ID: Identity Pillar: Privileged Access Management
NIS2 Directive – Security of Network and Information Systems
Control ID: Art. 21
PCI DSS 4.0 – Log and Monitor Security Events
Control ID: 10.4.1
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Primary target of LongNosedGoblin APT using Group Policy exploitation for lateral movement, requiring enhanced east-west traffic security and zero trust segmentation.
Information Technology/IT
Critical infrastructure vulnerability through Active Directory compromise and custom C#/.NET malware deployment, necessitating inline IPS and threat detection capabilities.
Computer/Network Security
Advanced persistent threat demonstrates sophisticated evasion techniques using cloud C2 infrastructure, demanding multicloud visibility and anomaly detection response systems.
Defense/Space
Nation-state espionage campaign targeting sensitive government networks requires encrypted traffic protection and comprehensive threat intelligence for critical infrastructure defense.
Sources
- LongNosedGoblin Caught Snooping on Asian Governmentshttps://www.darkreading.com/threat-intelligence/longnosedgoblin-caught-snooping-on-asian-governmentsVerified
- New Chinese group LongNosedGoblin deploys cyberespionage tools in Southeast Asia and Japan, ESET Research discovershttps://www.eset.com/us/about/newsroom/research/chinese-group-longnosedgoblin-cyberespionage-eset-research/Verified
- Chinese APT 'LongNosedGoblin' Targeting Asian Governmentshttps://www.securityweek.com/chinese-apt-longnosedgoblin-targeting-asian-governments/Verified
- LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japanhttps://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust Network Segmentation, granular egress policy enforcement, encrypted traffic inspection, and continuous visibility could have severely limited LongNosedGoblin's lateral movement, command and control persistence, and data exfiltration efforts. Identity-aware policies and anomaly detection tied to CNSF would have promptly flagged or blocked malicious pivots, malware propagation, and unauthorized cloud/SaaS access.
Control: Multicloud Visibility & Control
Mitigation: High-risk admin authentications and new external access would generate alerts.
Control: Zero Trust Segmentation
Mitigation: Privileged Group Policy actions from unauthorized hosts would be blocked or isolated.
Control: East-West Traffic Security
Mitigation: Unusual internal connections and unauthorized service-to-service communications would be detected and blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 traffic to unapproved or unusual SaaS destinations could be blocked, detected, or alerted.
Control: Encrypted Traffic (HPE)
Mitigation: Encrypted outbound data exfiltration can be identified and constrained.
Behavioral anomalies (e.g., unusual data volumes, process activity) would generate rapid alerts to incident response.
Impact at a Glance
Affected Business Functions
- Government Communications
- Data Management
- Network Security
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive governmental communications and data due to unauthorized access and exfiltration by the LongNosedGoblin APT group.
Recommended Actions
Key Takeaways & Next Steps
- • Prioritize rapid deployment of Zero Trust segmentation to restrict lateral movement and enforce least-privilege workflows across all administrative and sensitive network segments.
- • Implement centralized multicloud visibility and continuous monitoring to promptly detect anomalous authentications, privileged actions, and shadow admin behavior.
- • Enforce granular egress policy controls, including FQDN filtering and application-based restrictions, to prevent unauthorized command and control or exfiltration attempts.
- • Deploy robust inline encryption and inspection capabilities to identify and mitigate covert data transfers in both north-south and east-west directions.
- • Integrate advanced behavioral and anomaly detection systems that alert on deviations from established baselines to enable faster containment and response.
