SYMBOLCOMMON_NAMEaka. SYNONYMS
ps1.nosy_downloader (Back to overview)

NosyDownloader

According to ESET Research, this malware is used by LongNosedGoblin and executes a chain of obfuscated commands passed to a spawned PowerShell process as one long command line argument, meaning that the script is not stored on disk. Every subsequent stage is encoded with base64, where the last one is additionally deflated with gzip. The second stage bypasses AMSI. In this case, NosyDownloader uses Matt Graeber’s reflection method and disabling script logging techniques made available on GitHub to bypass AMSI.

References
2025-12-19BotbrawlSean Doyle
Chinese APT LongNosedGoblin Targets Government Networks in Southeast Asia and Japan
NosyDownloader LongNosedGoblin
2025-12-18ESET ResearchAnton Cherepanov, Peter Strýček
LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan
NosyDownloader

There is no Yara-Signature yet.