Skip to main content
HashnodeFPT IS SecurityFPT IS Security

Command Palette

Search for a command to run...

LongNosedGoblin: The cyber espionage ghost quietly infiltrates the governments of Japan and Southeast Asia.

ESET researchers have discovered a Chinese APT group, LongNosedGoblin, conducting a large-scale campaign targeting the government.

Updated
12 min read
LongNosedGoblin: The cyber espionage ghost quietly infiltrates the governments of Japan and Southeast Asia.
L
Lưu Tuấn Anh
Part of seriesNewsletters-eng

Overview

No need for 0-day exploits, no noise, and not leaving many unusual traces on the system. However, LongNosedGoblin—a newly discovered APT group—is quietly infiltrating the networks of government agencies in Southeast Asia and Japan using legitimate administrative tools. Behind this "normal operation" facade is a targeted cyber-espionage campaign lasting several months, aimed at gathering sensitive information and maintaining long-term control within the victim's system.

This group uses a diverse set of custom tools, primarily consisting of C#/.NET applications, and notably uses Group Policy to deploy malware and move laterally across the target's system. This article will detail LongNosedGoblin and how users can protect themselves.

Overview of LongNosedGoblin

LongNosedGoblin is a new APT (Advanced Persistent Threat) group discovered by ESET researchers in 2023. They specialize in conducting targeted cyber espionage campaigns aimed at government agencies and state organizations in Southeast Asia and Japan. This group is considered highly organized, operates discreetly, and shows many characteristics suggesting links to attack groups originating from China.

As mentioned above, unlike many APT campaigns that focus on exploiting zero-day vulnerabilities or launching massive attacks, LongNosedGoblin opts for a quiet but persistent approach. The group leverages legitimate system administration tools, particularly Windows Group Policy in Active Directory environments, to distribute malware widely, thereby avoiding detection by traditional defense mechanisms.

Group Activity History

Phase One: Stealthy Infiltration (2023)

  • Some of the earliest activities of LongNosedGoblin were detected in the internal networks of several government organizations in Southeast Asia. During this phase, the group mainly focused on:

    • Maintaining internal access after the initial breach;

    • Testing and refining data collection tools;

    • Using Group Policy to deploy payloads without drawing attention.

Phase Two: Expansion and Tool Refinement (2024)

  • In 2024, LongNosedGoblin began to expand its operations, with more clearly documented campaigns in:

    • Several Southeast Asian countries.

    • Some government organizations and related entities in Japan.

  • This phase saw the group perfect its unique malware toolkit, including:

    • NosyHistorian – a tool for collecting browsing history to categorize victims;

    • NosyDoor – a remote control backdoor using legitimate cloud services as a C&C channel;

    • Supporting modules like stealers, keyloggers, and reverse proxies.

Phase of Persistent Activity and Links to Other Groups (Late 2024 – 2025)

  • From late 2024 to 2025, ESET continued to record new variants of LongNosedGoblin malware, indicating:

    • The group still maintains long-term access in some compromised systems;

    • Tooling is updated to evade detection signatures;

    • There are components with similarities to tools from other China-related APT groups, though distinct enough to be considered a separate group.

Group Objectives

  • Collect browser history to profile victims (NosyHistorian)

  • Deploy backdoor for long-term espionage (NosyDoor)

  • Steal browser data and credentials (NosyStealer)

  • Keylogging and screen/audio capture

  • Lateral movement through Group Policy

Toolset & Methods

  • C#/.NET application with the internal name "GetBrowserHistory"

  • Deployed via Group Policy with the filename History.ini (disguised as an INI file)

  • Collects browser history from Chrome, Edge, Firefox for all users

  • Uploads to an internal SMB share within the compromised network

  • Attacker uses the data to decide which victim will have the backdoor deployed

  • PDB path: E:\Csharp\SharpMisc\GetBrowserHistory\obj\Debug\GetBrowserHistory.pdb

Nature of GachiLoader

GachiLoader is not the final payload, but a multi-stage loader with the main tasks of:

  • Avoiding analysis.

  • Gathering environmental information.

  • Deciding whether to continue the attack.

  • Loading the next-stage payload (infostealer).

Technical Analysis

First, as is known, GachiLoader is a heavily obfuscated Node.js JavaScript malware used to deploy additional payloads to infected machines. Analysts have developed a tool to monitor suspicious behavior in Node.js scripts.

As mentioned above, GachiLoader uses highly effective Anti-Analysis techniques. This can be considered a core component of this malware. To evade cybersecurity experts and Sandbox environments, the GachiLoader JavaScript modules use several anti-VM and anti-analysis checks:

  • Check if the total RAM is at least 4GB.

  • Check if there are at least 2 CPU cores.

  • Compare the username with a list of usernames associated with Sandbox environments.

  • Check the hostname against a similar list.

  • Probe running programs and compare them with a list of programs, such as analysis tools.

Not stopping there, GachiLoader continues to run several PowerShell commands to check:

  • Count the number of physical port connectors: (Get-WmiObject Win32_PortConnector).Count

  • Query WMI to get the system's physical drive model name and compare it with a blacklist: Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model

In addition, to avoid detection of subsequent payloads, this malware will continue to kill the SecHealthUI.exe processes of Windows Defender by running taskkill /F /IM SecHealthUI.exe and add exclusion options to Defender through Add-MpPreference -ExclusionPath for the following paths:

  • C:\Users\

  • C:\ProgramData\

  • C:\Windows\

Like other basic malware, the nature of GachiLoader involves a software distribution phase, or in other words, luring users. Here, the hacker group LongNosedGoblin creates fake YouTube videos such as: Game cheats, software cracks, or hacking tools... Of course, these guides always include disabling Windows Defender. This can be seen as the technique: “T1204.002 – User Execution“ - Getting users to execute malware themselves.

After distribution, the malware's .exe files are executed. These files are large (60-90MB) and are built using nexe:

  • Bundles the Node.js runtime

  • No need to install Node on the victim's machine

After gaining anti-analysis capabilities as mentioned above, this malware will establish connections with the C2 to download additional necessary payloads. To communicate with the C2, the malware will use the POST method and send log requests to the C2: 62[.]60[.]226[.]233 or 66[.]63[.]187[.]72.

Some initial data will be sent, including:

  • OS version

  • Architecture

  • Installed AV

  • Username

  • Hostname

  • Privilege level

  • Runtime info

Right after this process, the LongNosedGoblin group continues to deploy additional variants of GachiLoader, including two main payloads: Remote Payload and Kidkadi.

For the first variant, "Remote Payload," it uses the GET method to communicate with the C2, receive URLs of the payloads to be downloaded, and encode them into Base64 like: 5FZQY1gYj0UKw4ZC99d1oNYR8LvTPtrfN357Eh5gmRvsMaPYgXtMxRXpMb2bTFOb2h2HqMnvUKT9CUpj9864gckmPUzf9uLIIU9. Then, the payloads are downloaded to the %TEMP% directory and saved with a random name, mimicking legitimate software like KeePass.exe, GoogleDrive.exe, UnrealEngine.exe, 7z.exe or other software containing the Rhadamanthys info stealer, packaged and protected by VMProtect or Themida.

Next, the second variant is called Kidkadi. Unlike the previous variant, Kidkadi does not connect to the C2 to fetch a payload. Instead, it has an embedded payload executed through another loader dropped onto the disk in %TEMP% as kidkadi.node. This is also considered a gateway to trigger the most dangerous native payload behind it.

Finally, LongNosedGoblin will execute the most dangerous payload in their campaign. Here, they will create SEC_IMAGE sessions and write the PE payload into the section.

Then they will register the Vectored Exception Handler (VEH). If you're not familiar, VEH is a legitimate Windows mechanism, but when abused by malware, it becomes a powerful tool to:

  • Evade analysis

  • Hook API

  • Inject PE

  • Trick the Windows loader

After that, they will set hardware breakpoints on: NtOpenSection, NtMapViewOfSection, NtClose to take control of the Windows loader's execution flow and manipulate the DLL/PE loading process.

Next, the malware will load amsi.dll through LoadLibrary. As you may know, amsi.dll is a library of the Antimalware Scan Interface (AMSI), and naturally, when loaded this way, the system will mistakenly think it is a legitimate dll, a familiar loader, and completely normal behavior. At this point, the Payloads will obviously run under the identity of a clean module.

And in the campaign, depending on the system, the Payloads will be executed with specific purposes:

  • Steal credentials

  • Browser data

  • Crypto wallets

  • Persist

  • C2 secondary

Summary MITRE ATT&CK Mapping – GachiLoader

  • T1566.001 – Phishing: Spearphishing Attachment

  • T1204.002 – User Execution: Malicious File

  • T1059.007 – Command and Scripting Interpreter: JavaScript

  • T1622 – Debugger Evasion

  • T1497.001 – Virtualization/Sandbox Evasion

  • T1027 – Obfuscated Files or Information

  • T1082 – System Information Discovery

  • T1518 – Software Discovery

  • T1071.001 – Application Layer Protocol: Web (HTTP/S)

  • T1105 – Ingress Tool Transfer

  • T1620 – Reflective Code Loading

  • T1574.002 – DLL Side-Loading (Advanced Variant)

  • T1546.005 – Event Triggered Execution: Vectored Exception Handler

  • T1055 – Process Injection

  • T1106 – Native API

  • T1562.001 – Impair Defenses: Disable or Modify Security Tools

  • T1555 – Credentials from Password Stores

Conclusion

The campaign by LongNosedGoblin highlights a concerning reality in today's cybersecurity landscape: the most dangerous threats don't always come from complex attack techniques, but from the misuse of legitimate administrative mechanisms that are trusted within the system. By exploiting Group Policy, popular cloud services, and a custom malware toolkit, LongNosedGoblin has built the ability to infiltrate silently, maintain a long-term presence, and selectively gather intelligence.

The hallmark of this group is not speed or destructiveness, but patience and the strategy of "sniffing out" targets before taking action. Collecting browsing history, categorizing users, and only deploying a backdoor when the information's value is confirmed shows that LongNosedGoblin operates like a true cyber-espionage organization, rather than just an ordinary cybercrime group.

In the broader picture, LongNosedGoblin is not just a new name on the list of APT groups, but a testament to the evolution of modern cyber-espionage campaigns: quieter, more selective, and harder to detect. It also serves as a reminder that today's cybersecurity battle is not just about patching vulnerabilities, but also about protecting the trust within our own systems.

Recommendations

  1. Increase awareness of account security

    • Do not use duplicate passwords between work and personal accounts.

    • Always enable multi-factor authentication (MFA) for email, Microsoft/Google accounts, and VPN.

    • Be alert to unusual login notifications, especially from unfamiliar locations or times.

  2. Be cautious with emails and attachments

    • Do not open attachments or click on links if the email:

      • Has vague content or urges immediate action;

      • Pretends to be from a leader, colleague, or internal department;

      • Contains strange files even if labeled as “document” or “configuration.”

    • Report suspicious emails to the IT/SOC department immediately, rather than handling them yourself.

  3. Do not tamper with system configurations

    • Do not:

      • Install software from unknown sources;

      • Change system configurations or security policies;

      • Run scripts or PowerShell/Batch files shared via chat or email.

    • These actions can accidentally trigger or hide malware.

  4. Be alert to unusual behavior on your computer

    • Users should pay attention and report if they notice:

      • The computer running unusually slow, with fans running constantly;

      • The browser opening/closing automatically or having strange browsing history;

      • New files or shortcuts appearing from unknown sources;

      • Unusual login or data sync alerts with OneDrive/Google Drive.Manage Personal and Work Data

  • Do not store sensitive documents in:

    • Publicly shared folders;

    • Personal cloud services that are not approved.

  • Always lock your computer when leaving your workspace, even for a short time.

  1. Regularly update systems and software

    • Do not delay updates for Windows, browsers, and office software.

    • Restart the computer when prompted to ensure updates are fully applied.

    • Do not disable security software/EDR unless officially requested by IT.

IOCs

  1. .zip Archives

    • 062d342f59136c3bbc729e0c412d2c2589b6f9058912583eeb9b61d7916db00e

    • 34e1cd959c0c586fcd495225803061e6e2a19e7818c47a46a47822ba6726500d

    • 434fc84cc190bb0c8af86d3566d6517672fed9c171eb0df5c7541f0dce679c8b

    • 606eca698d0d4a67b21428b0812a261daab36598fded60b189106b0b27992225

    • 775b05b8cc8d03751828986727cd1929caf6868e1df9cd21e9366c48ce161c5e

    • 872fde8128f3a0f074975b6ca0d83fa56a8289b2063351f298bbf0c9025948d3

    • 99f4755fd9b25aadae4e154d661ccceecbbb3d4343dc6c81e04aa81516be81d0

    • a4e2c0ffb93103db23777c12b48a31816b83b0799c9bc71e92bb576e884d76d4

    • b48f3e7e6c67bfb3c73c85a33a377f9bb840e1b7b09871ab29a19cdb7965d5d1

    • c4266da90d6c655388ae8d64aebf5f9178adbbe486b2249e6bb7d18451f28a3b

    • cc95609cc375263129b8f425800a9bb462055b11dbf0d8aef2b3312aa2e90daf

    • f0de35ff0b889c7e93a89e918488a33aa21e4b6e7743ae87f1993ea77b237ecf

  2. Variant 1 – GachiLoader

    • 00bcfecad4b679f72c50cbdcd883caf55b6a1f641258a636317871c7b8940156

    • 00db4aa911e95ecfafa6f10ebfeb9f0a8051ee63de51ea1d9515ece5be2a294b

    • 01a3da42f74578c0b7c1146f30eceb2a2bc26c2d814a48fcf29ae527a1048aff

    • 028711c1b435c773ba600a863f4d4a2d1218860de799a1275d15d4ea93f0cbef

    • 02c0de5116d9b05d930e4858cd9768cc2ba70e91be62690439537fdf0f52de53

    • 032a297bfbdc94226f0d88c77ab27148c54ebde6bfa2750fed09b1d8667ddcd6

    • 03d55245ef2766943813c0d1eaa3859d3918ee6fed2705bb5eeb38f4f87a5643

    • 079a180eeed0f4fc84c2412ba0398a79c5262efa1d9e8fd53290cd001b5abf9f

    • 094240cd298de1121da36adb96b3cdd632f866837f27e3951b6a0a544e5437f6

    • 0a6d41411ef3c65540a525dc5c3ab0964cd595aa73c3a477a8a96ec986277660

    • 0bd44592e75854a1c763384bf9dcea6dfe1174f6f45df342ebd9dfaa3a27dc85

    • 0c03845b9e2ff5ddac56f6e75b8e9dadf1a7bd1681d074e732478596b3173922

    • 0f81656ce724b65c230c4d63259c3a0edff20cc664de964f16451417eda60005

    • 14bfaf75b5c7ffac451f41352f8e94b6cc060efe7d645189795fa921f4e602bc

    • 16b2f7d9d4ace9e3004bd47f97c252a7fea21662656ec6b906d30a6b21900fc4

    • 18649874ab887ab613a3ccdd7cddc683e2b21f7cbe0762d2ce8201fc7e57540c

    • 1d28c23b271eb2156bf2780cb0dd042573f38f4758ef61877a7347bbbc756c8b

    • 1ebeca5dc62d759904c47597ebeb67865017a99892081c94d7647206b78a6cd2

    • 1f35a5ee4ead5c286f3e0d3ddecaf8789f12da7b8b7422b0511af619353284b7

    • 2038f38ccd42cd1df84abfb5915e3a6eb9c976b8d822768068343716f46a09f1

    • 210d821109ec1dff3b92ad3cfdde59912581327f4017b754864ba1e263c3c366

    • 2601d2c2b4515d3f1414d4543cfe2091490e2502457eab6c437a310f7e5e2a1a

    • 266216b097561e57448b940c3087b82c4cea7581b67e5dcc52c8c4dfcbbf8333

    • 278c5a0acd6603947e59e1961642279e29cc4b9be299c8edb7b719d6568eb8da

    • 29fac0ce48b9114990a4dd942d6de1da55bf9c49938929123fb1f221be385eff

    • 2a87f4d47ad95f4eb46c08a4d33fd4732c10a1408db1b758871dfe6b1059c6bb

    • 2e5389a32a6c21fec476fdc6e80fcb577de31c43adb7c090c3a11f3b048787ed

    • 2fee47e12ca72863ee132d63dcac3b39aeace1a4d71b0aa14a30b56ecabf29c9

    • 30bcfa6bbb5e9d9bc64c65a27e1565a9ad21af3d5e1f202933a340cc400abdb9

    • 3124fe59b26dc77c1e4b4d615112928ca1830c890c8c77e853ac6948069ba463

    • 3151700d8f13cf55ad46148cd46ccb0b3409c0adf253433f16ef6612e9280eb2

    • 31dac5bc21b0dabfac51cb99c821e62421c39949971a44898a1ec15efe33e8c4

    • 32855dba1ec6b3c9ba422cf9203d8130e59dcb5235764b8f56b6d02970a5e5b5

    • 33dce93dfdb43f47ef1d36e2dd16725ed365300c371dc45491b52afe13b6e412

    • 3630538febdedf693ca9d996c3f1998d50c97052ab99e653d95b381ddb3546ef

    • 38a7feb5ab611e6a487ce8b048732f7721484ceebb316fd34c9cc611dbc4e3cc

    • 38ac7917ce895448203e6d14f121850ecc4ff89f530e792c794d771f881c7b07

    • 3c16548ab32996a58298978b20db1d4133827298e166f93b7c943dc3ffc51782

    • 3d8c1469de3bb01ef72992e07d1feea9380183983327576978851b8c78ea7fc9

    • 3ed63941e7411e93f644a064094b5a6c7e2a9547840a5198dd7f6b4d45ef9eea

    • 401e7b72f4b7ed4119b625ab34c2c7d37c0dabc08bbdf943fd291445e2fe753c

    • 40f899294ea02f7a9823ada63c869ede18a8afc6238aedb62d2b30a2744cb846

    • 4210e9e1df0bc41e497285483782609c0b4777ef6682fb40b0d25c8149c9f3d2

    • 428f86204b69f31dfc3f3479d18d23b15cad63d72998a8418e8da22941c74956

    • 43b1a11962f83db6bb59bb7467d5456e852d0421ca5eaeae3a249a34839e67b4

    • 43d9130c8f077a5885842bda24bee19e4dd231c49f88629442e5b9f02ff5f33a

    • 45fd42669157357f1e16c0b542eab5836061f5b2e2160a5104a4bde38cac85bf

    • 47ab9b9deaa14202b94320df16f52c8d98adee49c9bff8909ab5deefcbdfe401

    • 48a269d2c083868e2b5347012afb85bb3c233c9f042985bcab764f7788316660

    • 4b71d8cb7ce8de8d557283df3543aa2aed89dd5446c7acf855c0ea2e5e7e89dd

    • 4be48937c603c910c29de2af3b0d3e3bc05b809b19190e90ade2489a347d8b03

    • 4ed90af2fb3fe13eb8ab69fe2fcd82a0775426da33da4ba043d7e7e2fd4a18f7

    • 4f8c55cb3f99741f4fcccdbcff07c7d0b8ab7fa23dcbf8847d7a37a35f6d3f5e

    • 4f95af5b4a1569eb54f6995e547584f429a49895d0d81c71d74970275b170a08

    • 5173c6b57642dd89dba2f039a1ad630d6d73d3557248dd09ca2a51a329e6119e

    • 53ac3b1601f2fa43121cfd43ac9b49f6751a8b84b4ffcc5a1241f71eb1e8d7b8

    • 5538d6f24e1330c934cdfc95188aede5c9668154376e507c41fe1c752cdd7a5b

    • 561436df09f87be34317eeb25a2b7bf5c67201fa501262f72a9a63b9977ae217

    • 59c93f81063e8b77b20292d1d03598f74d997690aac41f5fb7a248ac8ad866c2

    • 5c88a6efd0a713460dcf8b828575285be3a43d6481e245662bafb3472d344dd1

    • 5d1bf72af319901f22d78625d60c877d7a8d6c54bbbcbcfc643376558e176211

    • 5dbdd6d45021383a3c76b2e0c7258a7b0fcfd70904602eb2fb1afe3b33efc80e

    • 60de97fff85ba6f0b114fe565f53ffc1ef43a19de95c31299884e034f05dc037

    • 616b74a6b17b70bae357c43cf03fe1946abc36eea1d0e7d911ca29bd067f63ae

    • 61e215ccf73cba014ecd72abd38ff78d5a23c2727577c5b3e2c8f52b90dc2a4a

    • 62bab101900a92db76e2c368c4a83f7340f42c460b16d11dea94c8db002d5bc9

    • 62bcb939df4a8b7bdc896cd229cf34f55d93555c14e5816ac2aa6285d1cf4112

    • 6463e7f48f01f482fa846bc106de245c833ad7c3ea7fae4caa7ead54b2901cb9

    • 64d6d018e3b7a1d718b96d9950b3579af2a784ab004ad575e13cb41b2c27aa25

    • 66e684ab10b1daf2a46df1031c6ddc331ab80af4e21144a68997d4a1859e9fd7

    • 6985717a754fe121e99c337cc33b0e9a25852fa33c580dc9caaffefaf0908233

    • 69c0084b78bf963997033759fa45933b61de425aea7612a06289ec6c78492745

    • 6a8dd64af57926514131efdc388c9883db2c23aebfd8b97c44e808d637f0fc23

    • 6b80c4fa88fbb35af2b254c63586fd6e0455d0e917b842afc79b821ac87a2b9d

    • 6c428016506c2ae076d049deeba60514cb8c0afa6fd00fc349722cdbc6e1b305

    • 6d5af67f05c9db6763cd494f64c5f62faeb8f1b67ba26a7ab278e27d4c9b8f22

    • 6f1b97838bc5702954ef5f536de86a8477e0008f25bcfba72b7fda4c1f37b9d2

    • 6fcd071c6ab51e71407e8bf242fac8552a10aedff113c9efb92ccc53cc49fbed

    • 7029d2c60ee04772d9dc4d8d34f5effd3e3be17769584bbf912954e926280131

    • 71415238f740c7528f3314f94dc07ffd9b802a34c3997b09ad02da1bcd3c8137

    • 717f05b96a344b1fdd159b4c45e3089a26d1f64e63cd4ac2ed3bf2db33074c3a

    • 765041cdf97bf0b55734cd5619d7d4568a641ae3fc35540344a488184839674b

    • 78908b01a8d959b80f7fa1f42c734c4c64a8cec58394f94cf362b8efd38c7b9c

    • 78b6c96910d8f1e3889bad17f97cd26aed5f6c7a15432cc11c2224a8c9adf691

    • 7a155a20c1e5df83b566fdad3bf59ca49ac6559e0561233a95c7cd70a5caa6dc

    • 7db2025192f4f2497bdc356c1920dfc4740bb868de8a6b5786f01865dfa9e564

    • 825bd0b103d647c296bd2b9eee251b04b7f5dc72f27898fcf0fc25ca24587125

    • 8295cddaf1c23d554b90e4d1ee1ca064f68124df63003a046f58241c3513cd1e

    • 8383a421e9a4f55af53cf1911680042659b28722cff8a30cd202bc728a8fea23

    • 8443994a687269f2d7d19678e571ce1a1658df7da69c25b4bd902f87f849c98d

    • 857f68127546f829861e796b11b80304e2c53e70e54191fec8087f64d7c8146d

    • 86082a735440124bae953c0a68e5eff6a7fe6792f90ea1e71cc0c83a724bc273

    • 87c1c62369657904418affebca3f706a4e968dd1a672729274ba287dfae43be4

    • 88938ad37225074c923ac4baa0b4a171076c273cb064a4905c66a25ca3acfee0

    • 8d473631c12231079a241d63ddc9e4b537d2531135e9aa4d795abf22f2aefd39

    • 8db4cf8f666b7c4ec5051139570b5d3b88569c9e62de31249a70b6cdc716aecd

    • 9211d6fb5db70a51ba5795e0a7126aa1efd0f4b78262031dfb72e98c319ce37e

    • 95760397b9cc05d0180258afee22cd8e6bc997e13754a11cb737733d0beeb444

    • 95f875c01b889f9ba811dae11822c6c83eb28d8260f16ca070c76e83f6f7e7cb

    • 96d2c11dd5bb43da5945259494d7e26a68b5c48eaa32d5eb2d1dc61aa0dfb7fe

    • 980d0d78b3e288f24bcb793d2e49a4e26138cfe4ef272171557658be751d277d

    • 99a3a973caf956102c563773a9a58ff79c539c7c77480873dd0e09fa259b3594

    • 99cc25edbc65ea201b957abbd6cfbd7b3b6f04759cbb47fc999d35508a654748

    • 9a0ccafc516df1e931ba2028ea59f39b31e1cc812c3a2ab1765b9e91fb8cc507

    • 9a28d80ce2c191d743554313edbb8eef09e6f72b34c4d701c0a84090d61264e9

    • 9b60930efa096a98d9fb6392c74f8d3e5f2df6ba8a5b31a304b7fac3d847e7f1

    • 9c562c28323e7681c1cb5a4b23e703c21cda8bc020946de691b6765fcb613a16

    • a9ec251b719b2ebb85e50f43eea4e2944e0a065daaf5c92420efc852b594d96f

    • ad27bfdd9d51f81e6e743ed351c47812874565e89f6ace03ac39d6c85fefa949

    • af0891bff41d67815ed7a979fc2127295ea662079afa16d09d1a377684d678ba

    • b1b72689afa038d413e36f5aca61b971b69e4e411976cbd01e3cbf5b2e83141e

    • b67ac42c0ef7402dd53dc950e8162e9a213aa65d5a7901a5cc4aee0b93058b93

    • b6a3ad06c57b45142dd7ac2c77ea70980296b5d168517f5d7ec4100ec10d305a

    • b8eaa5c0686fb49f6f3e4edd5716df48581001249d5e62563f2468db73526cce

    • bd378786d84743beb0adc8d3dd14ff3d7996caaf6a1eb8783c665091ee9ae225

    • bd7df13098f3984a18c4a21282ba04ed802bb73c1f91c7eb5a35b89544c545cb

    • bfd049ef7d1384a25c3edaf857b94539525b5f442dbe543fafa2356315780d8d

    • c164232a5a3a2b49705257e62c5f8e004df68e3cf32d7702e4af879abd55008b

    • c1a6587fb04a94943ab616cf0ce8b3d0c55e59ffbd4bc9b3a1add955391210ae

    • c1fb323ed08adca20912906e8756e6f8a805cd1d08cf20226f37cb51f33117eb

    • c4cd91a5ce722f3c510151513501e9aab54ad535b934132e6e6f6c9c76be2e9e

    • c50c73ef1be87b84055ee73bda503ad20884fcf67b207fa918190f40f4353729

    • c5e9eaaa5dc6ec4780c319c26a4f552f7030438dcfb008ccfd52358512dc3f81

    • c605642e0edac4b63e9819648f79d54d5f47cac240480fad808cbfb61f31c88a

    • c67bad311a48bb86a865b08ad2ef175a17e46063ef3c5de734fb3c4a5ea07578

    • ca0c525bf22b499b2f374d41f7e07a60ed9181645af485b0183c65eea68d364d

    • ca1465224a206c9323a4a3215afa402ce7f592ddf17db5d477d2a5905e982d56

    • cd6c1ebc720ba509967f9e508657ad02d8fafee1d958af0174bfd0d192291d0a

    • d2c3f54b03d50271dad1eba0abf1cad6529d67b74015e530f716bd18f943c6b5

    • d52894f027b8ce185efa3f584024b8a9a7f6694f6e294aba8ddac9789d00468f

    • d56afbac1b7eebdb1aa03744cb45a260975de75a08e7f4d9a89ccb57656d9b65

    • d5e05fa6ddbaf68f6b08e188d444b664a08a69a6102df37c4c3c3cbc7ebfd326

    • d5e530f607260ee2ce19ef3f6ac277b202cd15fc947b0c02ba9060421f799bc3

    • d64d4ede406cc439617a2f17e31a3d9c1adb81d35cbb97de1a7e0145b03a08cd

    • d666dcf48f569d6ba9defd87e149408373c0ac237a017624fd51aacfcfeb89d0

    • d66fb9cc2c40311df8af5aee664303f5226338cd0f2046cb2f8d8d42bda6f9b9

    • d737d53d2fb7a233b9732bfcd9c99ac8ef9846ad65af07cae490c8ffd9dc02ee

    • d858fd5207e758e84b7ea1a84f27b0e782d0cf3a39db9fd72c3869bd136f9440

    • d9133df2668bac02ab8150fe9bc7b44a69936322b624fdf80a4f0de635970e81

    • df481a8014760def4bdd933639d01e8381fed910f5cf6d0e974560afc446451b

    • dff27eb46d17a25416a9cbefb705d13ccaf8bbc03461f3112fd5132c6261a187

    • e111cbbc94fa932ad24e84cb308195ad7d05fa2d9bb2716a0f6f9c11a4c3f570

    • e17622f041536a253ab17dfc10011a65225356cb120970b4c4948df1c37ced23

    • e1d90617390211860b40839338c235df016cafeed7bdda9f39b17b86f48a9fe8

    • e37d2b812d6ce5653ee7c54157b6288469152dd64a4cb3cb25943bbc3b28e909

    • e6cdc47ab4a4496d42d84281d5d89c4fdad665cad0546e820aa29e9a18d454f2

    • e70516e7aa7c9dbfc459993516cde705685f1e44a75c29c55d9f71abe7733c78

    • eb3f6f8f99b86d4a68490e56a6f5a963523743685ecb6c8bd1d87389dbe0fde0

    • ed74747bb58f78df2c11f247cc173051cc0e058fad7def595d14b8ce03889a53

    • f09e67864cc19f5b831fde944c7ee917cbd3af9ff89ed4893d2fa441d12bf5d9

    • f25531eef40e268b251ce117375bbcaa1a586506d3fa56fa722b200713ee4c1b

    • f37df47e517702f3becf6e3c85733dfea0031572bf199c1f56faad951b354573

    • f566a942a7c59f53efd9418f0c97850a749a806ee84e88056138c699d3b4d08a

    • f624c81e47e350123490897fa04fe43886ae9cec9b128e8b9ef54fe9405b4612

    • f64a20a44a60dd899bf0cccb5de57897dd80819cd36c55878a56ed0d1c995352

    • f8a881216fce67e89b8a56774504b5ea86ebb763d87ff7426a9344d13790e7ea

    • f94c8771545fd31371dcdfbe80260378709e686b44c2b440957cb923aa952b37

    • f9bc90f545b3eb8d5bd963d00debc6f3ff22403f94f91d063f18a7fb85be59eb

    • fa1bd55fc9aecc625992448306e0dd456e4011bc07a926046ed6d3280aededae

    • fbfa7f980b0d29f8c12933ef68daff306e2cbec3247db8242a5d97e6a96927d7

    • ff02edab9a670769ce074b2f6d6728909950785d2c8507e01d3333de98156c58

    • ff89d6917b775ef0bd38e4ee3a401bb310c4276eba79ff872b827920f72185b3

    • ffd7d43487fa1e15d8ea2a1e8737533cfcf7763cad6cb7504f270500a37f4261

  3. GachiLoader’s C2 Servers

    • davpniktonevidit[.]cfd

    • nupogodi[.]cfd

    • 94[.]154[.]35[.]99

    • nexus-cloud-360[.]com

    • globalmarket247online[.]com

    • 176[.]46[.]152[.]18

    • 213[.]209[.]150[.]104

    • [vault-360-nexus[.]com]

    • iietrich[.]cfd

    • mceenzie[.]sbs

    • 62[.]60[.]226[.]233

    • 66[.]63[.]187[.]72

    • digitalservice365cloud[.]com

    • 178[.]16[.]52[.]231

  4. Variant 2 – Kidkadi Dropper

    • 01bdbb37d4b5d22ab98f1977f89c0eb69b35cdbf1d690c434a9d21dc1d0c56b0

    • 02bdf8a8206b520db3d55fb7426ecef1ad10518f22eba26c848e548b75bc9999

    • 04bb04bbea55fa1dabda974b2c2f4aceb44ddccb7b9c1715e0aa67318369a768

    • 0577a28c0bcc1b033f44f458ab2d068fc301ef30d4175a3d2012d3601e9e13e1

    • 0859936dff1e2af60940c5f0764e187c642ffea5344118eb702a7ac59f5a9281

    • 08b5875f9867aa6c71cb8d96fb79de9f8975e0f7d1298388c95845aaa49e55de

    • 0ef9623e3ba8bc2c5be6de9cccd4a9e17bf74d1f8f83455da40c35f72fb34922

    • 110a17f1d65790337329d22d94ac10a9b6581202d5eab02897cb41ac543f1007

    • 13f1ee54ec2f7ca835313b828c64d1b0ffd6288c59e3361013a17c765da7335c

    • 178a24418d3057eb38b80e63786f9908a856618f1d19a9b667a55dff2717c9db

    • 20179c8ceeede0056b0d3f545d0641160490642c90b23dce5603b8b47acb62d0

    • 2101d91dc775638f1f392d0867aca9a15d9139f0c986ed7004df134c9c52fcfe

    • 254abb6da9296f8c6f8e567186e3d59ddba2392fa4baf791492f7e76b4ff5af7

    • 28a9a74d8eeae80de63a1938cadfa55a5a0f334e593e975cb32af8ec3cae79e6

    • 2aea932e216145e38e5751f4daa9788974dd8e4ad4e90d7b42613d3df6341aee

    • 2e519a26e3cb67b9e1186065c4245f89b8cdfb5b3346fc86b028213e0f08c286

    • 2ed1c34780a3e9d2972f14d2828abf77a329075bd4c055458ef2f064237544b9

    • 354a66191805500b4a45d7455fd02527ffe0b76ae9285eabf8f182ea7d893c19

    • 38063272da02cf4fd383c634df988c07dcb2ce59cc3cdb036c4ff155fefc62e2

    • 38da058e5fafbdd9c371f4d64e7cc0e317ad1e59291470ddf01c7681c0c03c43

    • 3903bab79a2fa38e05df6f311d2dc9640c5916f8050bffab0d47ab8e58837210

    • 396caae9215849b674eecb0f8d5b91985f81986069c09e50454cb8f607ad4231

    • 39c72a4467ead5190ab2aff718c1d8fe66dd03760b3c2bb085466d56a6d10f3e

    • 39cdf78fdfeeb8ce82f5a8b0abbbfb1a74fd0bf9568e11a9b5f5d47060c33dc7

    • 3dbea0934dd2de6441ba27b762dc6424ce518f4882555fb96cd5225f9167339a

    • 405072e611a49489d1074dafcd84791f60ab9daebf55be36b924718e9d847c48

    • 416b81138d3c20578228c9610dca686eb7193e8d93cc4a2a18e6815efeacb810

    • 425d78b7a5cbd87b36e4ca991171e90851d0dac29fe5934fe9b289ea88793298

    • 46926ff7f778ea242603d233eabc0916a8a6945769fa0ea20c60cbac1f164150

    • 4a509f3605cb039c6f426e110b23ce82f1ef67db06c32e4bc5ebfb3ae3ca1e31

    • 4bdf84addb7e9bce6bb98086e6554f68fd529c49ae20b770d8db9ffc9debd3df

    • 4bf54789913bfbca6bb87263137ff6a662e32eb9e9ff124441af6304cc2b401e

    • 568e8082704d7fd2473862e93120412de1d043da5d106a12f9d1d5f1492eb173

    • 56e4bb0f077b2081f0fcdaeaa90d8c6da48beedfb0a381ae054030e5a2988f05

    • 574934eeab1d23c163c4e59cad869de2f5c3d46dbdd563b17fb4320b53e95770

    • 5982d92d6a3bd210fd13a9986bda7f9fc6cb0321e523506acf9dc2e9ee6501de

    • 59a17d129944bf8bc426d23746b285522d94b293eb2c2808d56a307022e5b92d

    • 5a290d01a08f774f13f0991b7cf5c8c48b8cd2c0eb896ad069f02a474d8747f2

    • 5bd83b8ecfb1efd13191a76cb0998cf6d645491b76b6fe4f1a516bfd756bed3b

    • 5e4ae0bdc6081a22357e73aff3023a63623f3475610b23c35ff073b0b6890175

    • 6253d1285a7579f482ba1983a2c4db2c01f9f11194dac76aca4424e3d6977a02

    • 62db621c97bdaadffc1e900aac8d3af6e4e759b27018da635418c3921e1c8068

    • 679ff95c8c383d55b60d80d1803f347e206bd358e3980ee8de1de105680ffb37

    • 6bcb16d0ceae1b27bc7860477aa60a8c2a2588fb7625aa3a2dd78ee543658437

    • 6dc57007880918de4ef89d98b70dfa0cb1ac4c7a9d1eeffc57408d3f18524980

    • 6e087f40e4aac5fa780bfd1046c1d65e2b59c6abf391f9507718e61be61ddf42

    • 6edb286fa173145e8bb9597d8f02ec3d86f9f680468ba48618bcc5d2240ad121

    • 73cf316dc4359d80022e0ff7be22b9c86530e982a1d939e78a20090b9373b8a4

    • 77c728333ebff9d313d87b763b9d8e4a9d580b76f734ea6e43d7cc7bc81da260

    • 7a70e48a2721d5f5946ec2904dee105ba6c8561b205e5e8fce2aa5f6f3ef0549

    • 7c53826ea6a9f4ba8d44ca455f1723af9d72b99e97d5053babcfd528fb344e24

    • 80e8a40be533b4470275d567f7f9d21f6ba4e41e9b3272de77ff67ab9f8442b4

    • 828c2b61686f9dd8ee888a89ad92793b586a273b57bfd0ad57be6ae2f72616b1

    • 861c9536994ea3bb6c7aa5463001b79ab61fd945cf44956074d9034e384b3834

    • 8b30ecb0376e7853c4b323e6b504c967d76f22aa880c587878aa4d5de9bd9808

    • 8ee29bb1ea8f289d2233fd8053001a29b4fb7d5275120bbcb3e92f5cd5a77b47

    • 8fb633896f714598c3b935cc45658f3fa14c99a006708c0a78e2f7d29b4c2b1f

    • 90f4f2c7d5fd9ea10e05cd9bb28a7700fe3fd5cc97d5d59b7e0f043e74f4adbd

    • 9dc8628aa94effdb2e982d10a6daa4b7897b75db9d452d806f839c9099c01fd4

    • 9f074ac880d8ae454c84dc03fcbaf0a9c4a15b32a28a590708a38ec6542fc620

    • 9f38d473a87c4c72760dd3e578c21f23b271c3c6a28d92e9ffa842073c4abc3b

    • a0857210ed5a0e38a73a908158905f4271bf82d3f18e0f73494c1846043102f6

    • a21d016f92be196e4d101a9f20d928ededa930dca835e5bdaffa0ea96372530e

    • a3bdc6f2f7930af9d4f3378c88fa9c84ee36c8a79b6689c0907fb4e065d7b572

    • a66220bea0f76e47ca218b99a2b91c7347cb3a291f2df03329009fde23c1a02a

    • a745b6efbb006d7c9c33503c12f247a95d3d72b98e22f6aa883d7ef45359afdc

    • aa71db5eb8ec06fbf676dacbb53bc3fdab62169b7287fe5d489713661ddf6360

    • af14df77f75b1440cd98dc39e4fd24e4d4da62904a699ca2e977c91db30ecc0d

    • afdcb3443f1b46fe4bd0818654dcbf48a542afdebef4c0725618cd66b2dbddf9

    • b10e7bbe60e82ec581a3dea4d829838d9c9603f4581125d0200b620d366c75cb

    • b281b6ffb8cf114b5836ead7cbc424179ac4070e2b15721a5a84af6be0b376d1

    • b8d46875182730276cf2a67de909ab4b8f3f298554f39928b418984d8cb515b0

    • bb359ebb2ddc1489a3489c0c37b974d05f9a37e23d4e74517d882fb5c7e493b0

    • bb88a06cff4e8d73eef046c6a8352dfff7f52903761ced27acd68c065391a464

    • bd2fb7d2bb7c15d634a986068d5cf811faa83aed72cb7e81df5e5082b22356d2

    • be68dd32a6b3375935fac1cebf132a2fc7fbfd4074cb8c53022d8eb4e7e17db1

    • bf5ce4b2911f2d6592abafaf5096936e61d23f98fd9a6b6bbcd763269fba729b

    • c0b239f989ecd535b9e80570487a39ad67c1e77ba3133caba150da7bf553b724

    • c10d286de8111a7133831d57394164586584157da2b50d7f3bb85582d69c2b17

    • c26b86a7e9ff0fb61a2ac0e9eaf78ed34e97a0326df66c7d2311ee7a6033e590

    • c2b66d97a64d87ce48eb5fb972d23a6b834a677ae154f9f8d4300e9699922ca5

    • c7646b0f6de08759e19928e25f2ca65cd023a9b820101ae52eb2dc7c7f6f1a69

    • cbeb46542f05028aee563efb5afa3616612637b31928f98b3d880de2ca524fb0

    • ce5b2579a7893c29ad24ad7126cb83ab629e1d879f69348ad2eb5f9b884d4c44

    • d1b7ae2d2e12faa4244bd4e5625ffbb2e525586f888bf5b292386221672b5b6d

    • d5038061e4d308341f6dfd7e807c84266442dbd0afe3b567082ebf6fdbd4c5d4

    • d51e67e9d81041500994880ecbad47f43a66fc4779a5f79c2c1f47517b8b14ec

    • d79722670889cf3ce869ed23be59c12029e0df3e536162045b6a87f0b522672d

    • d80cd0fe212dcfd4a0e683d36c48ba73a7e500a31dbf3f629a13c89565db7580

    • d8d138f4ebb7a5f12691e2c4edddcf906b66bd5640f8e09e1196a629a624a2ca

    • d9e2773a56847f4d28e82b2e7215bc4db05807a08d49588f6d6b40be9a430d1b

    • dbb8a2943af9559d4b3ec8e4c0879cfee3edd882e78b1cd1fb4546acdd7365ee

    • dce1732d7e260843a9930dea78ff1dc6c469bd306817c827318b56d754f77a98

    • dd851d7d8b79900e151f91f82d9f1826db493b67f012829783001ab5ffe392e2

    • ddf5f0ac5484e8e3090b9ce51f53f57cba9550be0e5fcdc2b60787ffc31c15c5

    • de13a7f1f2cc3cfeeaed063b558134631add81f74e58595bfdf921ff78470a9c

    • de40f512a3ead48f8c334bcd92198304df41d166ee0c0a90dc4a281464ee7980

    • ded2e57b60ba81fe9fc9a52ee0591db262527a0b6d166c6ca7165bfb99c4e835

    • e076d0d1bac228175f0ea23046f0bb7241b0a0457d245ae365ec3de8554a3499

    • e2627e6c31bb30f791ae80fbbf7d6b57a9ce6ae9e568cff6942ccf6f72195a5e

    • e4d7ace20cd9704805d144c26bd8c54f6a1b3175b549b6c8279e2d0ee81da9d2

    • e58ed739c3e6f0f1b0aee262ce0cd99cff6fa04ec7bd665c7c9de7fdfd289c1e

    • e7372984816703e5664bb1a0632bd7689d573e2868ceccd138c0a5a2977b2a23

    • e79d67e6c265ff53fb428123711db25b5fc3612ae650b55a2c6484bce3385bec

    • e806c33313e0490293edeb998abcd9413744e307af5619662ae6a62f6224aee7

    • ec55eadc6aab2a8c519c016e4b238b39463345c87160b7e2005e6e38ef05ff21

    • eca5155749b0f83671e8c17094a4380c19a3b5096781bd7b88cd9f93a70fc574

    • ed0cbb7b137a10493319473610209016f2c1a8b9560876bc32999b472a32e18f

    • ee363c5bdc5e786b0b47840d8fe69a5bd71f3684a9eec5d9e49b9ab68c64c793

    • ee752ce83f645fe4d3db0b1d8c41428d7b9adf37e72a9c21c153450862d30906

    • eed231bda3ad5a946a254d06865610e50b05eabaece8f09f84323d9fb23e2742

    • ef4d2a7ca4306626ff90e53ebad63e243a50dff63f34eb0eeaeb4acb2f39c42b

    • f0269f2b26534acc3ef8bee5b243c54b14812769249a974b2e2b7eba9734a967

    • f1de30fa0eeedc1f1a7d97736cf751c88fb01456a182f97ede7294bc89bf69af

    • f4f18af4acee36826b8e2162749250ffb96fc7f8f154d181dd1b8179cf4da68d

    • f73e65f624f15d967951a6795c712daf31363ab1602485c164549b04989caaaf

    • f9648d34727738abe86310378929ab7a8d5c8f2698c913bc84dee9be49e3b96a

    • f98ce437118aeca437a43612858068f4ea6099bb93c63f1b4ffc4d4335e8eaed

    • fbae3424943aec7aea7ce380c7a83c89ca9c6ff243bfac5186edba6e560f5b66

    • fd06caf741fd4e5fc9f00c575cc22c00f1a7fd55e826a16dbabc8b3436ed64c4

  5. Rhadamanthys C2 Servers

    • 176[.]46[.]152[.]18:8181/gDatFeDway/r26ggaap[.]dssde

    • 178[.]16[.]53[.]193/mK2k20ajW7kairt1mg88vT1aT9vwU5AZN9AkYYs2QBNbnXV3ph/YEr2KP0jEBh

    • DdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq[.]exe

    • 180[.]178[.]189[.]34:8181/gDatFeDway/mh3af5md[.]wg4ja

    • 180[.]178[.]189[.]34:8181/gDatFeDway/ujp8k5q9[.]kbtsk

    • 185[.]141[.]216[.]120:1888/gateway/st2jdbg8[.]gsg45

    • 3[.]126[.]43

    • 78[.]16[.]53[.]193/mK2k20ajW7kairt1mg88vT1aT9vwU5AZN9AkYYs2QBNbnXV3ph/YEr2KP0jEBh

    • DdVcS9cWNhbKUgDxcEm9kqxLwFAdHgmKyw7FZq[.]exe

    • 94[.]154[.]35[.]99:1888/gateway/el3tkioe[.]xcg4w

    • 94[.]154[.]35[.]99:1888/gateway/mbw0n34s[.]gibis

    • 94[.]154[.]35[.]99:1888/gateway/wwpac3ey[.]q23nf

    • cxbnqdytjgrxutmzawczv[.]cg/gateway/0f4m3h8r[.]trz19

    • jfbcrmphnnikoktsmcpzirlplkwp[.]zl/gateway/8pv47lge[.]93qfg

  6. Kidkadi.node

    • 2ac4f1a2e22c99a823f18dba8ad5aafde0de98966d5534d5af61650d1f47997c

    • f87b964e6a619cae6bb8852822d70bee93d708da98214e3b2381ff0774ee8e62

    • 0e0a094e2d27a0e3583ff528296f784d29e139bed9ba41fdc6788169c83698b4

    • 72eb1f7a418def9d64aaadc556f9350d2a8c444eb7ab56fc59324c5d5f4d76f9

    • 33bba47346c03968977688bddbdd245210c06fb7686b4dfc78789c70e2a95219

    • f9ab9fc5f1e092ace1dcea7610f4643040a85a5385e3eab3c3666bfe09dc8d6b

    • 90fa0da74389a302edd4cdb641f280bf95b9f73ed7145f0f9c1728c576cfc0df

    • 1d405b03bc5913b6b43c06550ef0b9b02196b270625e4dc5fa0c37e8a424be25

  7. HookPE.exe

    • ded68a8f5d0765740d469c08bd66270097f3474eab92ee1e65ddcdd6d15fca6e

Reference

  1. GachiLoader: Defeating Node.js Malware with API Tracing GachiLoader: Defeating Node.js Malware

  2. LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan

  3. Group Policy overview for Windows Server | Microsoft Learn

#longnosedgoblin#anti-analysis#apt#payloads#loaders#nodejs#threat-intelligence#southeast-asia

Newsletters-eng

Part 41 of 50
Up next

SantaStealer: Is 'Santa Claus' bringing gifts... or taking all your data?

Christmas is approaching, and not only are there Santas giving gifts to children, but another Santa is quietly infiltrating your system - SantaStealer. While users are increasingly focused on ransomware and data encryption attacks, SantaStealer has e...

More from this blog

F

FPT IS Security

738 posts

Dedicated to providing insightful articles on cybersecurity threat intelligence, aimed at empowering individuals and organizations to navigate the digital landscape safely.