LongNosedGoblin Tries to Sniff Out Governmental Affairs in Southeast Asia and Japan

Date: 12/22/2025

Severity: High

Summary

LongNosedGoblin is a newly identified China-aligned APT group focused on cyberespionage against governmental institutions in Southeast Asia and Japan. Active since at least September 2023, the group leverages Windows Group Policy to deploy malware and move laterally within compromised networks, while using cloud services like OneDrive and Google Drive for command-and-control. Its custom toolset includes NosyHistorian for profiling targets via browser history and follow-on deployment of backdoors such as NosyDoor, along with additional spyware tools for data theft and monitoring.

Indicators of Compromise (IOC) List

URLs/Domains

www.sslvpnserver.com

www.threadstub.com

www.blazenewso.com

www.privacypolicy-my.com

IP Address

118.107.234.26

103.159.132.30

101.99.88.113

118.107.234.29

101.99.88.188

38.54.17.131

Hash

4E3F6E9D0F443F4C42974A0551EEE957B498DA3D

CD745BD2636F607CC4FB9389535BF3579321CA72

154A35DD4117DB760699C2092AFB307E94008506

B1D4A283A9CCC9E34993DD2093A904AFBD88B9B9

77D2A8CB316B7A470E76E163551A00BB16A696C5

F93E449C5520C4718E284375C54BE33711505985

1959E2198D6F81B2604DF7AC1F508AEB7A6FA07E

E0B44715BC4C327C04E63F881ECC087B7ACBD306

43C8AE8561E7E3BF9CD748136C091099E5CBEEEE

D11FC2D6159CB8BA392B145B3EE4ADFA15DB4C83

A0A80AC293645076EBAE393FF0A6A4229E2EDE1C

DDBBAE33E04A49D17DD24D85B637667B4407AE19

60158C509446893B3B57D40DC4B4B3795FCDF369

F5B7440EE25116A49EC5EE82507B353880217AC1

85939C56BFCACD0993E6FB9F7CFD6137601FB7D4

C66F9FEC0F8CBF577840944F61198A75B3E2A58C

4C2FCCE3BAB4144D90C741A6D77ADF209C786B54

161A25CB0B8FA998BF1BDEE31F06F24876453CDF

4D61A9FBBCC4F7A37BE21548B55BB5B9B837F83B

5AE440805719250AAEFEE9B39DACD23D2FB573CD

E93D32C739825519A10A4C52C5F1EE33936E4FDB

212126896D38C1EE57320FB6940FED7A6E30D9EA

CFFE15AA4D0F9E6577CCB509ACE9C588937943F2

6AC22CE60B706E3B9A7927633116911E1087C0D4

2C1959DD85424CEDC96B1BB86A95FCA440CB9E36

46107B1292B830D9BCEBBDA6EEDB32FBC05707B4

581464978C29B2BC79C65766E62011C94D2CBEAB

0D91A0E52212EC44E32C47F7760AF3B473B72798

48D715466857FB0C6CD0249DE6D960FC199438E1

563677CFACD328EA2478836E58A8BD0DF11206A3

AC2264C56121141DAF751A3852CD34F3ACB1D63C

70A615BC580522E1EEE4B61394DC7A247FE47022

E9C5E4AA335DFBD25786234A58CE4C9C551D1A41

EC9CEB599DF3BDFFAD536900D0E6D48E2E5FF12B

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1 :	domainname like "www.threadstub.com" or siteurl like "www.threadstub.com" or url like "www.threadstub.com" or domainname like "www.blazenewso.com" or siteurl like "www.blazenewso.com" or url like "www.blazenewso.com" or domainname like "www.privacypolicy-my.com" or siteurl like "www.privacypolicy-my.com" or url like "www.privacypolicy-my.com" or domainname like "www.sslvpnserver.com" or siteurl like "www.sslvpnserver.com" or url like "www.sslvpnserver.com"
Detection Query 2 :	dstipaddress IN ("118.107.234.29","103.159.132.30","118.107.234.26","101.99.88.113","101.99.88.188","38.54.17.131") or srcipaddress IN ("118.107.234.29","103.159.132.30","118.107.234.26","101.99.88.113","101.99.88.188","38.54.17.131")
Detection Query 3 :	sha1hash IN ("60158C509446893B3B57D40DC4B4B3795FCDF369","70A615BC580522E1EEE4B61394DC7A247FE47022","4D61A9FBBCC4F7A37BE21548B55BB5B9B837F83B","E9C5E4AA335DFBD25786234A58CE4C9C551D1A41","4E3F6E9D0F443F4C42974A0551EEE957B498DA3D","CD745BD2636F607CC4FB9389535BF3579321CA72","154A35DD4117DB760699C2092AFB307E94008506","B1D4A283A9CCC9E34993DD2093A904AFBD88B9B9","77D2A8CB316B7A470E76E163551A00BB16A696C5","F93E449C5520C4718E284375C54BE33711505985","1959E2198D6F81B2604DF7AC1F508AEB7A6FA07E","E0B44715BC4C327C04E63F881ECC087B7ACBD306","43C8AE8561E7E3BF9CD748136C091099E5CBEEEE","D11FC2D6159CB8BA392B145B3EE4ADFA15DB4C83","A0A80AC293645076EBAE393FF0A6A4229E2EDE1C","DDBBAE33E04A49D17DD24D85B637667B4407AE19","F5B7440EE25116A49EC5EE82507B353880217AC1","85939C56BFCACD0993E6FB9F7CFD6137601FB7D4","C66F9FEC0F8CBF577840944F61198A75B3E2A58C","4C2FCCE3BAB4144D90C741A6D77ADF209C786B54","4C2FCCE3BAB4144D90C741A6D77ADF209C786B54","161A25CB0B8FA998BF1BDEE31F06F24876453CDF","5AE440805719250AAEFEE9B39DACD23D2FB573CD","E93D32C739825519A10A4C52C5F1EE33936E4FDB","212126896D38C1EE57320FB6940FED7A6E30D9EA","CFFE15AA4D0F9E6577CCB509ACE9C588937943F2","6AC22CE60B706E3B9A7927633116911E1087C0D4","2C1959DD85424CEDC96B1BB86A95FCA440CB9E36","46107B1292B830D9BCEBBDA6EEDB32FBC05707B4","581464978C29B2BC79C65766E62011C94D2CBEAB","0D91A0E52212EC44E32C47F7760AF3B473B72798","48D715466857FB0C6CD0249DE6D960FC199438E1","563677CFACD328EA2478836E58A8BD0DF11206A3","AC2264C56121141DAF751A3852CD34F3ACB1D63C","EC9CEB599DF3BDFFAD536900D0E6D48E2E5FF12B")

Reference:

https://www.welivesecurity.com/en/eset-research/longnosedgoblin-tries-sniff-out-governmental-affairs-southeast-asia-japan/

LongNosedGoblin Tries to Sniff Out Governmental Affairs in Southeast Asia and Japan

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

LongNosedGoblin Tries to Sniff Out Governmental Affairs in Southeast Asia and Japan

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments