Chinese hacker group exploits Windows, releases malware

A group of Chinese hackers, taking advantage of Windows Group Policy, released malware on companies.

Windows Group Policy is another important tool for administrators, or Administrators, of enterprise IT to manage enterprise-level Windows policies, but this feature also has a vulnerability for hackers to use.

According to a report by the website Cyber Security News, the detection of spying campaigns against government agencies in Southeast Asia, including Thailand and Japan, by the work of Chinese-backed hackers like LongNosedGoblin, a research team from Welivesecurity, a subsidiary of the well-known anti-virus software developer ESET that has been monitoring the movements of such hackers for a long time, has revealed that hackers have been moving since 2023 (2024) using malware created on C # and C #. NET to invade the target's system with the aim of obtaining information from the victim's system.

One interesting attack technique is that the group has used a feature to oversee the system policies of employees in an organization like Windows Group Policy to spread malware to other points of the system within the organization, or Lateral Movement, and also to release other malware into the system through this channel. It relies on the infrastructure of an Active Directory folder management system to spread malware into machines within the organization and avoid malware detection systems at the same time.

Using this tool to spread malware, the research team found that it was used to spread NosyHistorian malware into targeted organizations with the aim of stealing data on web browsers, where the malware was first detected in the year 2024. (2567) According to an investigation of a network attack on a Southeast Asian state organization, several machines within the same network were infected with this malware. Evidence of the use of Windows Group Policy comes from the detection of policy files such as History.ini and Registry .pol that hackers forged as real files to modify the settings in the use of the feature.

In addition to the above-mentioned malware, it has been found to be used to spread malware of the type that creates a login back door or a backdoor called NosyDoor with the beginning of sending malware down the system. It starts by converting the Registry .pol file first to act as a malware extension (Dropper), leading to the decryption of malware files (Payload) by using the Data Encryption Standard (DES) with a key called UevAppMo. In addition to that, to prevent malware from being grunned on non-target machines, the Dropper also inadvertently ran anti-malware or Guardrails to Prevented, too.

After confirming that the Payload file has been properly released on the target machine, the malware will create a persistence in the system by creating a task schedule that will run the UevAppMonitor.exe file, a valid Windows application file that has been copied from the System32 folder to the. NET framework to implement the task as a malware tool with application implementation techniques already on the machine; or Living-off-the-Land through firing (Injection), a new setup of AppDomainManager to lead to the loading of NosyDoor malware DLL files.

In the next step, after the malware has successfully received the Configuration value, the malware decrypts the received settings (under the name log.cached, beautified) and then uses that setting to contact Microsoft OneDrive through the RSA-encrypted Metadata to retrieve commands (Command) within OneDrive in the Task File section to work on the next step.

# Welcome 2026 # Take care of yourself # Open budget # Includes IT matters # Trending