A Masterclass in Living-Off-The-Land Attack Infrastructure Through Group Policy Abuse
1. Executive Summary
For years, defenders have been told to “trust built-in security tools” and to rely on centralized administration for consistency and control. LongNosedGoblin proves how dangerous that assumption has become.
This China-aligned advanced persistent threat (APT), uncovered by ESET Research in late 2025, demonstrates a quiet but deeply effective method of large-scale compromise: weaponizing Windows Group Policy itself. Instead of exploiting vulnerabilities on endpoints, the group focuses on compromising Active Directory and then using Group Policy Objects (GPOs) as a malware distribution, persistence, and re-infection mechanism.
Once domain administrator privileges are obtained, the attack no longer looks like an intrusion. It looks like normal IT operations.
This campaign marks a shift in tradecraft:
enterprise trust has become the attack surface.
2. Why This Campaign Is Different
Most APT campaigns still rely on:
- Dropping malware through phishing
- Exploiting exposed services
- Evading endpoint protection
LongNosedGoblin uses those techniques only to get in the door. Once inside, they stop acting like attackers and start acting like administrators.
They:
- Use Group Policy to deploy malware
- Use legitimate .NET features to execute code
- Use cloud storage platforms for command-and-control
- Use Windows scheduled tasks for persistence
Every step blends into the background of a normal Windows enterprise.
This is why the campaign can persist for months or years without triggering alerts.
3. Initial Access and Privilege Escalation
LongNosedGoblin does not depend on a single entry vector. Observed access paths include:
- Spear-phishing of government IT staff
- Compromised VPN credentials
- Abuse of exposed RDP or web portals
The real danger begins after initial access.
3.1 Privilege Escalation Paths
Once a foothold exists, attackers move quickly to obtain domain-level privileges, often abusing weaknesses that exist in many environments by default.
CVE-2025-21293 — Network Configuration Operators Abuse
- Allows SYSTEM-level code execution
- Exploits excessive registry permissions
- Particularly dangerous because the group exists by default
CVE-2025-29810 — Active Directory ACL Abuse
- Exploits misconfigured AD object permissions
- Turns “modify permissions” into full admin access
- Often invisible without detailed AD auditing
BadSuccessor (dMSA Abuse in Windows Server 2025)
- No CVE, no patch at time of discovery
- Allows privilege inheritance during account migration
- Affects the majority of real-world environments
Once any of these succeed, Group Policy becomes fully controllable.
4. Weaponizing Group Policy
Group Policy is designed to:
- Run automatically
- Execute with elevated privileges
- Apply repeatedly
- Be trusted implicitly
LongNosedGoblin abuses all four.
Attackers create or modify GPOs to:
- Deploy malware during startup or logon
- Create scheduled tasks
- Drop registry-based payloads
- Reinstall malware after removal
From a logging perspective, the activity is indistinguishable from legitimate policy updates.
5. The Nosy Malware Ecosystem
LongNosedGoblin’s tooling is modular and purpose-built for espionage.
5.1 NosyHistorian — Browser Intelligence Collection
Purpose:
Reconnaissance and user profiling
What it collects:
- Browser history from Chrome, Edge, Firefox
- All user profiles on the system
Key behavior:
- Deployed as
History.ini - Runs via Group Policy
- Uploads data to internal SMB shares
- Avoids external traffic entirely
Why this matters:
Browser history reveals:
- Government portals
- Policy research
- Inter-agency collaboration
- High-value individuals
Strong IOC:
<username>_<hostname>_(chrome|edge|firefox)_History
5.2 NosyDoor — Primary Backdoor
NosyDoor is the backbone of LongNosedGoblin’s persistence.
Stage 1 — Dropper
- Delivered via
Registry.pol - Drops files into:
C:\Windows\Microsoft.NET\Framework\ - Creates scheduled tasks with cloud-themed names
Dropped artifacts:
SharedReg.dllnetfxsbs9.hkflog.cachedUevAppMonitor.exe.config
Stage 2 — AppDomainManager Injection
This is one of the most important techniques in the campaign.
- Abuses legitimate .NET AppDomainManager functionality
- Forces Windows to load a malicious DLL inside a trusted process
- Uses
UevAppMonitor.exeas a host
Why it’s effective:
- Legitimate binary name
- No suspicious parent/child process chains
- Often bypasses AMSI and Defender heuristics
- Appears as standard system behavior
Stage 3 — Backdoor Capabilities
NosyDoor supports:
- Shell command execution
- File exfiltration
- File deletion
- Registry modification
- Process control
Command-and-Control:
- Microsoft OneDrive
- Google Drive
- Yandex Disk (EU-focused operations)
All communication uses HTTPS and legitimate APIs.
5.3 NosyStealer — Browser Credential Theft
Targets:
- Saved passwords
- Cookies (session hijacking)
- Certificates
- Cached credentials
Execution chain:
- Configuration download (Google Docs)
- Data collection
- Encryption and archiving
- Upload to Google Drive
To defenders, this looks like normal cloud usage.
5.4 NosyDownloader — Fileless Payload Loader
- Executes payloads entirely in memory
- Leaves minimal disk artifacts
- Enables rapid tool updates
- Used selectively on high-value systems
5.5 NosyLogger — Keylogging and Clipboard Capture
- Modified DuckSharp keylogger
- Captures:
- Keystrokes
- Window titles
- Clipboard contents
- AES-encrypted logs
- Periodic exfiltration
This gives attackers near-total visibility into user activity.
5.6 Reverse SOCKS5 Proxy
- Enables network pivoting
- Allows access to internal services
- Supports lateral movement without direct exposure
6. MITRE ATT&CK Mapping
| Tactic | Techniques |
|---|---|
| Initial Access | T1566.002 (Phishing), T1199 (Trusted Relationship) |
| Execution | T1059, T1218 |
| Persistence | T1547.014 (AppDomainManager), T1053.005 (Scheduled Tasks) |
| Privilege Escalation | T1548.002, T1078 |
| Defense Evasion | T1027, T1562 |
| Credential Access | T1555, T1056.001 |
| Discovery | T1615, T1087 |
| Lateral Movement | T1210, T1021 |
| Command & Control | T1071.001, T1567 |
| Exfiltration | T1041, T1020 |
7. Indicators of Compromise (IOCs)
7.1 File System (High Confidence)
C:\Windows\Microsoft.NET\Framework\SharedReg.dll
C:\Windows\Microsoft.NET\Framework\netfxsbs9.hkf
C:\Windows\Microsoft.NET\Framework\log.cached
C:\Windows\Microsoft.NET\Framework\UevAppMonitor.exe.config7.2 Registry
HKLM\Software\Microsoft\.NETFramework\AppDomainManager
HKLM\SYSTEM\CurrentControlSet\Services\DnsCache
HKLM\SYSTEM\CurrentControlSet\Services\NetBT7.3 Scheduled Tasks
OneDrive Reporting Task-S-1-5-21-*7.4 Process Execution Patterns
| Parent | Child | Meaning |
|---|---|---|
| gpscript.exe | History.ini | NosyHistorian |
| svchost.exe | UevAppMonitor.exe (non-standard path) | NosyDoor |
| UevAppMonitor.exe | powershell.exe | Active backdoor |
7.5 Cloud C2 Indicators
Watch for:
- OneDrive / Google Drive access by SYSTEM or service accounts
- API access from .NET processes
- Repeated downloads of the same cloud file IDs
- After-hours access patterns
7.6 Encryption and Strings
DES Key:
UevAppMoCommon strings:
SharedReg.dll
UevAppMonitor
OneDrive Reporting Task
E:\Csharp\8. Why This Works So Well
Because nothing “looks malicious.”
- No exploits firing
- No strange ports
- No suspicious binaries
- No obvious persistence keys
Everything operates inside trusted administrative infrastructure.
9. Defensive Lessons
- Treat Group Policy as Tier-0 infrastructure
- Monitor every GPO change
- Audit Active Directory permissions continuously
- Watch system processes using cloud services
- Assume domain admin compromise equals full breach
Final Thought
LongNosedGoblin represents the next logical step in APT tradecraft.
Why burn zero-days when defenders already trust the tools?
Why evade security when you can operate inside it?
The organizations that will survive this kind of threat are the ones that remember a simple rule:
In cybersecurity, trust is the most dangerous vulnerability of all.
