NosyDoor

NosyDoor is a C#/.NET backdoor associated with China-aligned espionage activity, most notably operations attributed by ESET to the LongNosedGoblin cluster targeting government entities in Southeast Asia and Japan since at least 2023. It is typically deployed selectively after the NosyHistorian browser-history collection tool identifies victims of interest, and ESET observed that only a small subset of NosyHistorian-compromised systems received NosyDoor. The malware is notable for cloud-based command and control, using Microsoft OneDrive in observed LongNosedGoblin intrusions; a variant was also reported using Yandex Disk against an organization in an EU country. NosyDoor gathers host metadata including machine name, username, operating system version, and current process details, sends that information to its C2 service, and retrieves task files containing instructions. Reported capabilities include file exfiltration, file deletion, shell command execution, directory listing, and in some reporting the ability to load .NET assemblies. Multiple sources describe it as relying on living-off-the-land techniques, including AppDomainManager injection, and some associated tooling was reported to bypass AMSI. Specific technical details mentioned in the content include an internal name of "OneDrive" and the PDB path "E:\Csharp\Thomas\Server\ThomasOneDrive\obj\Release\OneDrive.pdb." Some NosyDoor samples included execution guardrails restricting operation to specific machines, indicating carefully selected targets. The content also states that NosyDoor is likely not exclusive to LongNosedGoblin and may be shared, commercially provided, or otherwise used by multiple China-aligned threat actors, complicating attribution. Related tooling observed in the same activity includes NosyHistorian, NosyStealer, NosyDownloader, NosyLogger, a reverse SOCKS5 proxy, and an argument runner used to launch audio/video capture tooling.