A previously unknown, China-aligned hacker group has been targeting government institutions across Southeast Asia and Japan, according to new research.

The group, which Slovak cybersecurity firm ESET named LongNosedGoblin, has been active since at least September 2023 and was uncovered after the company detected new malware strains inside the network of a Southeast Asian government last year.

What sets LongNosedGoblin apart from other known China-linked threat actors is its reliance on the Group Policy, a legitimate Windows feature normally used by system administrators to enforce rules across large networks. The hackers abused this feature to deploy malware and move laterally across targeted systems.

One of the group’s primary tools is a malware strain dubbed NosyHistorian, which collects browser history from Google Chrome, Microsoft Edge and Mozilla Firefox. The stolen data is then used to decide which victims are of higher interest and where to deploy additional malware, including a backdoor known as NosyDoor.

“While we found many victims affected by NosyHistorian in the course of our original investigation between January and March 2024, only a small subset of them were compromised by NosyDoor,” ESET researchers said. Some versions of NosyDoor included safeguards designed to limit execution to specific machines, suggesting carefully selected targets.

ESET believes NosyDoor is not exclusive to LongNosedGoblin. A variant of the malware had previously been used in an attack against an organization in a European Union country, though with different tactics.

That overlap indicates NosyDoor may be offered as a commercial service to multiple China-aligned actors, the researchers said.

Other tools linked to LongNosedGoblin include NosyStealer, which exfiltrates browser data; NosyDownloader, which retrieves and runs malicious payloads in memory; and NosyLogger, a keylogging tool, ESET said.