Rectifyq📃Title: Attempts to sniff out governmental affairs in Southeast Asia and Japan
📅Date: 2025-12-18
🔗References:
Description
A newly discovered China-aligned APT group named LongNosedGoblin has been targeting governmental entities in Southeast Asia and Japan for cyberespionage purposes. The group employs a varied custom toolset consisting mainly of C#/.NET applications and notably uses Group Policy to deploy malware and move laterally across compromised networks. Their main tools include NosyHistorian for collecting browser history, NosyDoor backdoor using cloud services as C&C, and NosyStealer for exfiltrating browser data. The group has been active since at least September 2023 and uses techniques like AMSI bypassing and living-off-the-land tactics. LongNosedGoblin’s campaigns involve multiple stages of execution and various malware components, showcasing a sophisticated approach to cyber espionage operations.
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: TA-profile
- target: broad-based
- MY-relevancy: relevant
🔖MISP Galaxies:
- producer ESET
- target-information=“Japan”
- region=“035 - South-eastern Asia”
- mitre-attack-pattern=[‘T1056’, ‘T1053’, ‘T1074’, ‘T1027’, ‘T1082’, ‘T1574’, ‘T1573’, ‘T1036’, ‘T1574.014’, ‘T1560’, ‘T1573.002’, ‘T1102.002’, ‘T1217’, ‘T1585.003’, ‘T1027.015’, ‘T1622’, ‘T1562.001’, ‘T1027.013’, ‘T1480’, ‘T1567.002’, ‘T1083’, ‘T1564.003’, ‘T1105’, ‘T1056.001’, ‘T1074.001’, ‘T1588.001’, ‘T1036.005’, ‘T1106’, ‘T1059.001’, ‘T1055’, ‘T1620’, ‘T1053.005’, ‘T1573.001’, ‘T1218’, ‘T1125’, ‘T1071.001’, ‘T1059.003’]
MISP event uuid: 517eafe1-ab7d-4604-833b-542ca374cd2c
Indicator of Compromise (IoCs)
type,value,comment
sha256, d53fcc01038e20193fbd51b7400075cf7c9c4402b73da7b0db836b000ebd8b1c, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
ip-dst, 101.99.88.113, ''
ip-dst, 101.99.88.188, ''
ip-dst, 118.107.234.26, ''
ip-dst, 118.107.234.29, ''
ip-dst, 38.54.17.131, ''
domain, newso.com, ''
domain, policy-my.com, ''
hostname, dev0-411506.iam.gserviceaccount.com, ''
hostname, 40dev0-411506.iam.gserviceaccount.com, ''
sha1, 4e3f6e9d0f443f4c42974a0551eee957b498da3d, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, cd745bd2636f607cc4fb9389535bf3579321ca72, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, 154a35dd4117db760699c2092afb307e94008506, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, b1d4a283a9ccc9e34993dd2093a904afbd88b9b9, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, 77d2a8cb316b7a470e76e163551a00bb16a696c5, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, f93e449c5520c4718e284375c54be33711505985, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, 1959e2198d6f81b2604df7ac1f508aeb7a6fa07e, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, e0b44715bc4c327c04e63f881ecc087b7acbd306, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, 43c8ae8561e7e3bf9cd748136c091099e5cbeeee, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, d11fc2d6159cb8ba392b145b3ee4adfa15db4c83, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, a0a80ac293645076ebae393ff0a6a4229e2ede1c, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, ddbbae33e04a49d17dd24d85b637667b4407ae19, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, f5b7440ee25116a49ec5ee82507b353880217ac1, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, 85939c56bfcacd0993e6fb9f7cfd6137601fb7d4, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, c66f9fec0f8cbf577840944f61198a75b3e2a58c, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, 4c2fcce3bab4144d90c741a6d77adf209c786b54, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, 161a25cb0b8fa998bf1bdee31f06f24876453cdf, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, 5ae440805719250aaefee9b39dacd23d2fb573cd, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, e93d32c739825519a10a4c52c5f1ee33936e4fdb, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, 212126896d38c1ee57320fb6940fed7a6e30d9ea, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, cffe15aa4d0f9e6577ccb509ace9c588937943f2, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, 6ac22ce60b706e3b9a7927633116911e1087c0d4, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, 2c1959dd85424cedc96b1bb86a95fca440cb9e36, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, 46107b1292b830d9bcebbda6eedb32fbc05707b4, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, 581464978c29b2bc79c65766e62011c94d2cbeab, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, 0d91a0e52212ec44e32c47f7760af3b473b72798, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, 48d715466857fb0c6cd0249de6d960fc199438e1, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, 563677cfacd328ea2478836e58a8bd0df11206a3, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
sha1, ac2264c56121141daf751a3852cd34f3acb1d63c, 'No sample in VT\r\nLast check:16/01/2026 No sample in VT\r\nLast check:16/01/2026'
hostname, www.sslvpnserver.com, ''
ip-dst, 103.159.132.30, ''
hostname, www.threadstub.com, ''
hostname, www.blazenewso.com, ''
hostname, www.privacypolicy-my.com, ''
Full IOCs available in Rectifyq's MISP```