HOMETHREATSNosyDownloader
MALWARE FAMILY

NosyDownloader

Internal ID: ps1.nosy_downloader
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

According to ESET Research, this malware is used by LongNosedGoblin and executes a chain of obfuscated commands passed to a spawned PowerShell process as one long command line argument, meaning that the script is not stored on disk. Every subsequent stage is encoded with base64, where the last one is additionally deflated with gzip. The second stage bypasses AMSI. In this case, NosyDownloader uses Matt Graeber’s reflection method and disabling script logging techniques made available on GitHub to bypass AMSI.

Threat Analysis

NosyDownloader is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.

External References

Quick Facts

TypeMalware Family
Aliases1

Also Known As

ps1.nosy_downloader

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.