APT / THREAT GROUP
NosyDownloader
2
aliases
Last seen:Mar 17, 2026
Intelligence Profile
According to ESET Research, this malware is used by LongNosedGoblin and executes a chain of obfuscated commands passed to a spawned PowerShell process as one long command line argument, meaning that the script is not stored on disk. Every subsequent stage is encoded with base64, where the last one is additionally deflated with gzip. The second stage bypasses AMSI. In this case, NosyDownloader uses Matt Graeber’s reflection method and disabling script logging techniques made available on GitHub to bypass AMSI.
Threat Analysis
NosyDownloader is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
External References
Quick Facts
TypeAPT / Threat Group
Aliases2
Also Known As
ps1.nosy_downloaderNosyDownloader
External Intelligence
Malpedia: ps1.nosy_downloaderResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.