Back

LongNosedGoblin and UAT-8302: New China-Aligned APT Threats Targeting Governments

Severity: High (Score: 75.5)

Sources: www.welivesecurity.com, securelist.com, www.security.com, Blog.Talosintelligence

Summary

In 2024, ESET identified a new China-aligned APT group named LongNosedGoblin, which targets governmental entities in Southeast Asia and Japan. The group employs a custom toolset, primarily using C#/.NET applications, to conduct cyberespionage. Key tools include NosyDoor, a backdoor utilizing Microsoft OneDrive for command and control, and NosyHistorian, which collects browser history to inform further attacks. Concurrently, Talos reported on UAT-8302, another China-nexus APT group, which uses similar tactics and tools, including the malware NetDraft, also known as NosyDoor. Both groups are linked through their use of advanced malware and tactics for credential extraction and network proliferation. The campaigns indicate a coordinated effort to maintain long-term access to sensitive government systems. The ongoing threat remains significant, with multiple victims affected across different regions. Key Points: • LongNosedGoblin targets Southeast Asian and Japanese governmental entities using custom malware. • UAT-8302 is linked to LongNosedGoblin through shared tools like NosyDoor/NetDraft. • Both APT groups utilize advanced techniques for lateral movement and data exfiltration.

Key Entities

  • Apt27 (apt_group)
  • APT31 (apt_group)
  • Cl-sta-0049 (apt_group)
  • Earth Alux (apt_group)
  • Earth Estries (apt_group)
  • Ref7707 (campaign)
  • EastWind (campaign)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Supply Chain Attack (attack_type)
  • Trojan (attack_type)
  • Japan (country)
  • Russia (country)
  • Taiwan (country)
  • Ukraine (country)
  • microsoft.net (domain)
  • runner.bw (domain)
  • Government (industry)
  • 10.1.0.110 (ipv4)
  • CloudSorcerer (malware)
  • DeedRAT (malware)
  • Draculoader (malware)
  • DRBControl (malware)
  • FinalDraft (malware)
  • 67cfecf2d777f3a3ff1a09752f06a7f5 (md5)
  • faf1f7a32e3f7b08017a9150dccf511d (md5)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1047 - Windows Management Instrumentation (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • Active Directory (platform)
  • Internet Information Services (platform)
  • Microsoft Edge (platform)
  • Microsoft .NET Framework (platform)
  • Mozilla Firefox (platform)
  • Azure (company)
  • Google Chrome (tool)
  • Microsoft Graph API (tool)
  • OneDrive (tool)
  • 7-Zip (tool)
  • AD Explorer (tool)
  • 010f76b21251eb5d8bc77bcfdb47d5f13009aa985e744b843fc2e35b23fb2a44 (sha256)
  • 267ae4d7767d9980b3fbbfd5063bd28d5e05d22d64615fe7532d55a6063dfeb3 (sha256)
  • cffca467b6ff4dee8391c68650a53f4f3828a0b5a31a9aa501d2272b683205f9 (sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed