A China-nexus risk actor often called APT24 has been noticed utilizing a beforehand undocumented malware dubbed BADAUDIO to ascertain persistent distant entry to compromised networks as a part of a virtually three-year marketing campaign.
“Whereas earlier operations relied on broad strategic net compromises to compromise official web sites, APT24 has not too long ago pivoted to utilizing extra refined vectors focusing on organizations in Taiwan,” Google Menace Intelligence Group (GTIG) researchers Harsh Parashar, Tierra Duncan, and Dan Perez saidsaid.
“This contains the repeated compromise of a regional digital advertising and marketing agency to execute provide chain assaults and using focused phishing campaigns.”
APT24, additionally referred to as Pitty Tiger, is the moniker assigned to a suspected Chinese language hacking group that has focused authorities, healthcare, development and engineering, mining, nonprofit, and telecommunications sectors within the U.S. and Taiwan.
Based on a July 2014 report from FireEye, the adversary is believed to be lively as early as 2008, with the assaults leveraging pushing emails to trick recipients into opening Microsoft Workplace paperwork that, in flip, exploit identified safety flaws within the software program (e.g., CVE-2012-0158 and CVE-2014-1761) to contaminate methods with malware.
A few of the malware households related to APT24 embrace CT RAT, a variant of Enfal/Lurid Downloader referred to as MM RAT (aka Goldsun-B), and variants of Gh0st RAT often called Paladin RAT and Leo RAT. One other notable malware put to make use of by the risk actor is a backdoor named Taidoor (aka Roudan).
APT24 is assessed to be carefully associated to a different superior persistent risk (APT) group referred to as Earth Aughisky, which has additionally deployed Taidoor in its campaigns and has leveraged infrastructure beforehand attributed to APT24 as a part of assaults distributing one other backdoor known as Specas.
Each the malware strains, per an October 2022 report from Pattern Micro, are designed to learn proxy settings from a selected file “%systemroot%system32sprxx.dll.”
The newest findings from GTIG present that the BADAUDIO marketing campaign has been underway since November 2022, with the attackers utilizing watering holes, provide chain compromises, and spear-phishing as preliminary entry vectors.
A extremely obfuscated malware written in C++, BADAUDIO makes use of management circulation flattening to withstand reverse engineering and acts as a first-stage downloader that is able to downloading, decrypting, and executing an AES-encrypted payload from a hard-coded command and management (C2) server. It really works by gathering and exfiltrating fundamental system info to the server, which responds with the payload to be run on the host. In a single case, it was a Cobalt Strike Beacon.
BADAUDIO marketing campaign overview
“BADAUDIO sometimes manifests as a malicious Dynamic Hyperlink Library (DLL) leveraging DLL Search Order Hijacking (MITRE ATT&CK T1574.001) for execution by way of official functions,” GTIG mentioned. “Latest variants noticed point out a refined execution chain: encrypted archives containing BADAUDIO DLLs together with VBS, BAT, and LNK recordsdata.”
From November 2022 to no less than early September 2025, APT24 is estimated to have compromised greater than 20 official web sites to inject malicious JavaScript code to particularly exclude guests coming from macOS, iOS, and Android, generate a singular browser fingerprint utilizing the FingerprintJS library, and serve them a faux pop-up urging them to obtain BADAUDIO below the guise of a Google Chrome replace.
Then, beginning in July 2024, the hacking group breached a regional digital advertising and marketing agency in Taiwan to orchestrate a provide chain assault by injecting the malicious JavaScript right into a extensively used JavaScript library that the corporate distributed, successfully permitting it to hijack greater than 1,000 domains.
The modified third-party script is configured to succeed in out to a typosquatted area impersonating a official Content material Supply Community (CDN) and fetch the attacker-controlled JavaScript to fingerprint the machine after which serve the pop-up to obtain BADAUDIO after validation.
“The compromise in June 2025 initially employed conditional script loading based mostly on a singular net ID (the precise area title) associated to the web site utilizing the compromised third-party scripts,” Google mentioned. “This means tailor-made focusing on, limiting the strategic net compromise (MITRE ATT&CK T1189) to a single area.”
Compromised JS provide chain assault to ship BADAUDIO malware
“Nevertheless, for a ten-day interval in August, the situations had been quickly lifted, permitting all 1,000 domains utilizing the scripts to be compromised earlier than the unique restriction was reimposed.”
APT24 has additionally been noticed conducting focused phishing assaults since August 2024, utilizing lures associated to an animal rescue group to trick recipients into responding and in the end ship BADAUDIO by way of encrypted archives hosted on Google Drive and Microsoft OneDrive. These messages come fitted with monitoring pixels to verify whether or not the emails had been opened by the targets and tailor their efforts accordingly.
“The usage of superior strategies like provide chain compromise, multi-layered social engineering, and the abuse of official cloud companies demonstrates the actor’s capability for persistent and adaptive espionage,” Google mentioned.
China-nexus APT Group Targets Southeast Asia
The disclosure comes as CyberArmor detailed a sustained espionage marketing campaign orchestrated by a suspected China-nexus risk actor in opposition to authorities, media, and information sectors in Laos, Cambodia, Singapore, the Philippines, and Indonesia. The exercise has been codenamed Autumn Dragon.
The assault chain commences with a RAR archive seemingly despatched as an attachment in spear-phishing messages that, when extracted, exploits a WinRAR safety flaw (CVE-2025-8088, CVSS rating: 8.8) to launch a batch script (“Home windows Defender Definition Replace.cmd”) that units up persistence to make sure that the malware is launched robotically when the person logs in to the system the subsequent time.
It additionally downloads a second RAR archive hosted on Dropbox by way of PowerShell. The RAR archive accommodates two recordsdata, a official executable (“obs-browser-page.exe”) and a malicious DLL (“libcef.dll”). The batch script then runs the binary to sideload the DLL, which then communicates with the risk actor over Telegram to fetch instructions (“shell”), seize screenshots (“screenshot”), and drop extra payloads (“add”).
“The bot controller (risk actor) makes use of these three instructions to collect info and carry out reconnaissance of the sufferer’s pc and deploy third-stage malware,” safety researchers Nguyen Nguyen and BartBlaze mentioned. “This design permits the controller to stay stealthy and evade detection.”
The third stage as soon as once more includes using DLL side-loading to launch a rogue DLL (“CRClient.dll”) by utilizing an actual binary (“Inventive Cloud Helper.exe”), which then decrypts and runs shellcode liable for loading and executing the ultimate payload, a light-weight implant written in C++ that may talk with a distant server (“public.megadatacloud[.]com”) and helps eight totally different instructions –
65, to run a specified command utilizing “cmd.exe,” collect the outcome, and exfiltrate it again to the C2 server
66, to load and execute a DLL
67, to execute shellcode
68, to replace configuration
70, to learn a file provided by the operator
71, to open a file and write the content material provided by the operator
72, to get/set the present listing
73, to sleep for a random interval and terminate itself
Whereas the exercise has not been tied to a selected risk actor or group, it is presumably the work of a China-nexus group possessing intermediate operational capabilities. This evaluation is predicated on the adversary’s continued focusing on of nations surrounding the South China Sea.
“The assault marketing campaign is focused,” the researchers mentioned. “All through our evaluation, we regularly noticed the subsequent phases being hosted behind Cloudflare, with geo-restrictions enabled, in addition to different restrictions comparable to solely permitting particular HTTP Person Brokers.”
