NosyDoor backdoor activity using OneDrive and Google Drive C&C
Malware Activity
Summary
Hide ▲
Show ▼
The NosyDoor backdoor is being used to exfiltrate files and run shell commands inside compromised networks, making the LongNosedGoblin toolset more dangerous. The malware uses Microsoft OneDrive as C&C, while related tools also rely on Google Drive. The activity is tied to a broader espionage operation against governmental entities in Southeast Asia and Japan.
Related Happenings
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware Activity
H score31
First: 09.07.2026 21:08
Last: 09.07.2026 21:08
Sources 1
About this happening:
The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware ActivityAbout this happening: The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
Amadey and StealC shared-infrastructure malware activity
Malware Activity
H score66
First: 24.06.2026 18:02
Last: 24.06.2026 18:02
Sources 1
About this happening:
The **Amadey** loader and **StealC** infostealer are being linked through shared **C&C infrastructure**, making the pair easier to coordinate and disrupt. **Amadey** helps attacke...
Amadey and StealC shared-infrastructure malware activity
Malware ActivityAbout this happening: The **Amadey** loader and **StealC** infostealer are being linked through shared **C&C infrastructure**, making the pair easier to coordinate and disrupt. **Amadey** helps attacke...
USB-spreading clipboard-stealing malware targeting cryptocurrency wallets
Malware Activity
H score27
First: 18.06.2026 19:20
Last: 18.06.2026 19:20
Sources 1
About this happening:
A **USB-spreading** clipboard-stealing malware family is actively stealing **seed phrases**, **private keys**, and wallet addresses from **Windows** victims, putting cryptocurrenc...
USB-spreading clipboard-stealing malware targeting cryptocurrency wallets
Malware ActivityAbout this happening: A **USB-spreading** clipboard-stealing malware family is actively stealing **seed phrases**, **private keys**, and wallet addresses from **Windows** victims, putting cryptocurrenc...
SprySOCKS Windows backdoor activity against government organizations
Malware Activity
H score23
First: 16.06.2026 12:00
Last: 16.06.2026 12:00
Sources 1
About this happening:
**SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
SprySOCKS Windows backdoor activity against government organizations
Malware ActivityAbout this happening: **SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
AI-built ransomware toolkit with AD discovery and EDR evasion
Malware Activity
H score36
First: 02.06.2026 23:01
Last: 02.06.2026 23:01
Sources 1
About this happening:
A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...
AI-built ransomware toolkit with AD discovery and EDR evasion
Malware ActivityAbout this happening: A **customer-detected** AI-built ransomware toolkit is automating **Active Directory discovery** and **EDR evasion**, increasing the chance that payloads slip past security contro...
Timeline
-
18.12.2025 19:34 2 articles · 6mo ago
ESET discloses NosyDoor backdoor activity targeting government networks
Initial DisclosureESET disclosed LongNosedGoblin activity targeting governmental entities in Southeast Asia and Japan, describing NosyDoor as a backdoor that uses Microsoft OneDrive as C&C to exfiltrate files, delete files, and execute shell commands. The same toolset also included NosyHistorian, NosyStealer, NosyDownloader, and NosyLogger, and later analysis found a NosyDoor variant using Yandex Disk as C&C.
Show sources
- China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware — thehackernews.com — 18.12.2025 19:34
- China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware — thehackernews.com — 18.12.2025 19:34