APT24, a sophisticated cyber espionage group linked to China’s People’s Republic, has launched a relentless three-year campaign delivering BadAudio, a highly obfuscated first-stage downloader that enables persistent network access to targeted organizations.
The threat actor has demonstrated remarkable adaptability by shifting from broad strategic web compromises to precision-targeted attacks focusing on Taiwan-based entities.
The group’s operational evolution showcases an alarming trend of combining multiple attack vectors, including supply chain compromises targeting regional digital marketing firms and spear-phishing campaigns designed to exploit organizational trust.
The emergence of BadAudio represents a significant escalation in APT24’s technical capabilities. Beginning in November 2022, the group weaponized over twenty legitimate websites by injecting malicious JavaScript payloads that redirected unsuspecting visitors to attacker-controlled infrastructure.
.webp "China-linked APT24 Hackers New BadAudio Compromised Legitimate Public Websites to Attack Users 2")
This watering hole approach demonstrates the group’s willingness to cast a wide net while selectively targeting victims identified through advanced fingerprinting techniques.
The malware’s deployment methodology has continuously evolved, reflecting the threat actor’s commitment to maintaining operational effectiveness against increasingly sophisticated defensive measures.
Google Cloud security analysts identified the BadAudio malware after recognizing patterns consistent with previous APT24 campaigns.
Researchers noted that the malware operates as a custom first-stage downloader written in C++, designed to download, decrypt, and execute AES-encrypted payloads from hardcoded command-and-control servers.
The malware quietly collects basic system information, including hostname, username, and system architecture, then encrypts this data and embeds it within cookie parameters sent to attacker-controlled endpoints.
.webp "China-linked APT24 Hackers New BadAudio Compromised Legitimate Public Websites to Attack Users 4")
This subtle beaconing technique complicates traditional network-based detection approaches, enabling prolonged persistence without triggering security alerts.
Technical sophistication
The technical sophistication embedded within BadAudio demonstrates control flow flattening, an advanced obfuscation technique that systematically dismantles a program’s natural logic structure.
The malware manifests primarily as a malicious Dynamic Link Library leveraging DLL Search Order Hijacking to gain execution through legitimate applications.
Recent variants employ encrypted archives containing BadAudio DLLs alongside VBS, BAT, and LNK files that automate placement and persistence mechanisms through legitimate executable startup entries.
.webp "China-linked APT24 Hackers New BadAudio Compromised Legitimate Public Websites to Attack Users 5")
Upon execution, subsequent payloads decrypted using hardcoded AES keys have been confirmed as Cobalt Strike Beacon in identified instances, providing full remote access capabilities to compromised networks.
APT24 has recently pivoted toward more targeted delivery mechanisms rather than broad opportunistic attacks. Supply chain compromises targeting regional digital marketing firms in Taiwan have enabled the group to conduct sophisticated attacks affecting multiple organizations simultaneously.
Phishing campaigns leveraging social engineering tactics, including misleading emails purporting to originate from animal rescue organizations, drive direct malware downloads from attacker-controlled infrastructure.
The group has exploited legitimate cloud storage platforms including Google Drive and OneDrive to distribute encrypted archives, demonstrating their willingness to abuse trusted services for malicious purposes.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
