LongNosedGoblin: Pulling Malware Strings Through Group Policy
- Javier Conejo del Cerro
- 19 dic 2025
- 3 Min. de lectura
Every enterprise network has trusted mechanisms that operate quietly in the background. They apply updates, enforce settings, and keep systems aligned without drawing attention.
Windows Group Policy is one of those mechanisms — and LongNosedGoblin knew exactly how to turn it against its owners.
Active since at least September 2023, this China-aligned advanced persistent threat has demonstrated a refined understanding of enterprise Windows environments. Instead of relying on noisy exploits or obvious malware delivery, LongNosedGoblin abused one of the most trusted components of Active Directory to distribute implants, move laterally, and remain hidden inside government networks across Southeast Asia and Japan.
This is a campaign about control, patience, and turning policy into payload.
Phase 1: The Quiet Intruder — Establishing a Foothold
LongNosedGoblin’s operations focus on government environments, where Windows domains and centralized policy management are the norm.
The initial access vector has not been publicly detailed, but once inside the environment, the attackers demonstrate deep familiarity with:
Active Directory internals
Domain-wide policy deployment
Trusted Windows binaries and execution paths
Rather than immediately deploying backdoors across endpoints, the group prioritizes stealth and positioning, preparing the ground for wide, coordinated execution.
The goblin does not rush. It waits.
Phase 2: Trust as a Weapon — Abusing Group Policy
The defining tactic of LongNosedGoblin is its abuse of Windows Group Policy for malware distribution.
After compromising Active Directory, the attackers:
Modify Group Policy Objects (GPOs)
Disguise malicious payloads as legitimate policy files
Place them inside Group Policy cache directories
Examples include files masquerading as:
History.ini
Registry.pol
Because Group Policy updates are:
Automatically applied
Trusted by design
Executed without user interaction
…the malware propagates silently to multiple machines at once, bypassing traditional perimeter defenses and user-focused security controls.
At this point, the goblin is pulling strings across the network.
Phase 3: Reconnaissance First — NosyHistorian
Before escalating further, LongNosedGoblin prioritizes intelligence gathering.
One of the deployed tools, NosyHistorian, focuses on:
Harvesting browser history
Identifying visited internal and external resources
Mapping user behavior and interests
This information allows the attackers to:
Identify high-value users
Locate sensitive internal systems
Decide where deeper persistence or secondary payloads are justified
Rather than blindly infecting everything, the group is selective.
This is espionage, not smash-and-grab.
Phase 4: The Backdoor — NosyDoor Takes Over
Once suitable targets are identified, the attackers deploy their primary backdoor: NosyDoor.
NosyDoor is delivered through a multi-stage execution chain designed to blend in with legitimate system activity and evade detection.
Key elements of the chain include:
A dropper that decrypts embedded payloads using DES encryption
Execution guardrails to ensure the malware runs only on intended victims
Persistence via scheduled tasks
Abuse of the legitimate Windows binary UevAppMonitor.exe, copied from System32
The goblin hides behind trusted masks.
Phase 5: Living off the Land — AppDomainManager Injection
The core evasion technique used by NosyDoor relies on AppDomainManager injection.
The attackers:
Modify the configuration file of UevAppMonitor.exe
Specify a custom AppDomainManager
Force the application to load a malicious DLL (SharedReg.dll)
This DLL:
Bypasses the Antimalware Scan Interface (AMSI)
Decrypts and loads the final NosyDoor payload in memory
By abusing .NET runtime behavior rather than exploiting vulnerabilities, the malware remains invisible to many traditional detection mechanisms.
This is not brute force. It is craftsmanship.
Phase 6: Cloud as Cover — OneDrive Command and Control
For command-and-control, LongNosedGoblin blends malicious traffic into legitimate cloud usage.
NosyDoor:
Communicates with Microsoft OneDrive
Uses RSA-encrypted metadata to exchange commands
Retrieves task files stored within cloud infrastructure
By leveraging a trusted cloud service:
Network traffic appears benign
Blocking becomes operationally difficult
Attribution and detection are delayed
The goblin no longer needs its own lair. It hides in the cloud.
Phase 7: Persistence and Scale
The combined use of:
Active Directory compromise
Group Policy abuse
Living-off-the-land binaries
Cloud-based C2
…allows LongNosedGoblin to:
Maintain long-term access
Scale deployment across multiple endpoints
Survive routine system maintenance
This is a professionalized espionage operation, optimized for endurance rather than speed.
Defensive Measures: Cutting the Strings
Defending against attacks like LongNosedGoblin requires focusing on trust boundaries, not just malware signatures.
Effective countermeasures include:
Hardening Active Directory and limiting GPO modification rights
Monitoring Group Policy changes and cache directories
Auditing scheduled tasks and .NET configuration files
Restricting abuse of living-off-the-land binaries
Inspecting cloud services like OneDrive for anomalous command patterns
If Group Policy is trusted blindly, it becomes the perfect delivery system.
LongNosedGoblin demonstrates how modern APTs no longer need exploits to move freely inside networks. They only need privilege, patience, and trust.
By turning Group Policy into a malware distribution channel, this threat actor inverted one of Windows’ most powerful defensive mechanisms. The lesson is clear and uncomfortable:
Anything trusted at scale can be weaponized at scale.
In the hands of a careful adversary, even policy becomes a string — and someone else is holding it.
Cybersecurity News
Comentarios