A China-aligned cyber threat group called LongNosedGoblin has been conducting espionage attacks against government entities in Southeast Asia and Japan since at least September 2023, using Windows Group Policy to spread malware and cloud services as command-and-control infrastructure.
What happened
The group deploys malware across compromised networks using Windows Group Policy and relies on cloud services like Microsoft OneDrive and Google Drive as command-and-control servers. Researchers first detected the group's activity in February 2024 on a system belonging to a governmental entity in Southeast Asia. Investigators discovered that Group Policy was used to deliver malware to multiple systems within the same organization. The attackers were already inside the networks when detected, so the initial access methods remain unknown.
Going deeper
LongNosedGoblin uses a varied custom toolset that mainly consists of C#/.NET applications:
- NosyHistorian: Collects browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox
- NosyDoor: A backdoor that uses Microsoft OneDrive as command-and-control and executes commands to exfiltrate files, delete files, and execute shell commands
- NosyStealer: Exfiltrates browser data from Google Chrome and Microsoft Edge to Google Drive in encrypted TAR archives
- NosyDownloader: Downloads and runs payloads in memory, such as NosyLogger
- NosyLogger: A modified version of DuckSharp used to log keystrokes
The group also employs a reverse SOCKS5 proxy, a utility for running a video recorder to capture audio and video, and a Cobalt Strike loader.
What was said
Security researchers stated that "LongNosedGoblin uses Group Policy to deploy malware across the compromised network, and cloud services (e.g., Microsoft OneDrive and Google Drive) as command and control (C&C) servers."
Researchers told The Hacker News, "In most cases we investigated, the attackers were already inside the network, so we could not determine the initial access method they used."
Regarding potential connections to other threat groups, the researchers noted, "We later identified another instance of a NosyDoor variant targeting an organization in an E.U. country, once again employing different TTPs, and using the Yandex Disk cloud service as a C&C server. The use of this NosyDoor variant suggests that the malware may be shared among multiple China-aligned threat groups."
In the know
Windows Group Policy is a mechanism for managing settings and permissions on Windows machines. According to Microsoft, Group Policy can be used to define configurations for groups of users and client computers, as well as manage server computers. Threat actors exploiting Group Policy can push malicious configurations and software across entire networks once they gain administrative access, making it an efficient distribution method for malware in compromised environments.
Why it matters
The use of trusted cloud services like Microsoft OneDrive, Google Drive, and Yandex Disk as command-and-control infrastructure makes detection harder, as this traffic can blend with normal business operations. According to Microsoft Threat Intelligence research on similar state-sponsored campaigns, "detecting and mitigating this attack could be challenging" when adversaries use valid accounts and built-in system tools. For government entities and organizations in targeted regions, this is an active threat requiring immediate attention to Group Policy security and cloud service monitoring. The evidence suggesting NosyDoor malware may be shared among multiple China-aligned threat groups indicates a system of espionage tools being distributed or sold, which could lead to increased attack frequency and sophistication across different threat actors.
FAQs
How do attackers typically gain the initial access needed to abuse Group Policy?
Initial access is often achieved through phishing, stolen credentials, exploited vulnerabilities, or compromised VPN and remote access services.
Why is Windows Group Policy attractive to state-sponsored attackers?
Group Policy allows attackers with administrative access to deploy malware at scale across an entire domain without triggering traditional security alerts.
Are private companies at risk, or only government organizations?
Any organization using Active Directory and centralized Group Policy management can be targeted once attackers gain sufficient privileges.
How common is the use of cloud services for command-and-control in espionage campaigns?
The use of legitimate cloud platforms for command-and-control has become common because it blends malicious traffic with normal enterprise activity.
