APT24 used supply chain attacks and varied techniques to deploy the BadAudio malware in a long-running cyberespionage campaign.
China-linked group APT24 used supply-chain attacks and multiple techniques over three years to deploy the BadAudio downloader and additional malware payloads, Google Threat Intelligence Group (GTIG) warns.
According to the researchers, the group shifted from broad web compromises to more advanced techniques targeting Taiwan, including repeated supply-chain attacks through a compromised marketing firm and spear-phishing attacks. Google’s analysis details BADAUDIO’s evolution and helps defenders counter the threat, adding identified assets to Safe Browsing and notifying affected victims.
BADAUDIO works as a custom C++ first-stage downloader that pulls an AES-encrypted payload from a fixed C2 server and runs it directly in memory. It gathers simple host details and hides them inside a cookie value during the request for the next-stage payload. In several operations, that payload turned out to be Cobalt Strike Beacon, decrypted with the same AES key and linked to a watermark previously tied to APT24.
“The malware collects basic system information, encrypts it using a hard-coded AES key, and sends it as a cookie value with the GET request to fetch the payload.” reads the GTIG’s report. “The payload, in one case identified as Cobalt Strike Beacon, is decrypted with the same key and executed in memory.”
The malware uses heavy control-flow flattening to break its natural logic and slow down analysts. It usually arrives as a malicious DLL and relies on DLL search-order hijacking through legitimate executables. Recent versions ship inside encrypted archives with BAT, VBS, and LNK files that place the DLL, set persistence, and trigger sideloading. This layered chain reduces obvious signals and helps APT24 quietly identify and track infected systems.
APT24 has spent three years refining how it delivers the BADAUDIO malware, shifting from broad strategic web compromises to more focused supply-chain attacks and spear-phishing. APT24’s early campaigns injected malicious JavaScript into over 20 legitimate sites, fingerprinted visitors with FingerprintJS, and pushed fake update pop-ups to infect only selected Windows targets. In 2024, APT24 escalated by compromising a Taiwanese digital marketing firm, repeatedly reinfecting it and exposing more than 1,000 domains. The attackers hid malicious code inside modified JS and JSON files, used advanced fingerprinting, exfiltrated reconnaissance data, and dynamically served BADAUDIO based on C2 logic. GTIG blocked malicious scripts and notified affected organizations, helping them secure their environments.
“This nearly three-year campaign is a clear example of the continued evolution of APT24’s operational capabilities and highlights the sophistication of PRC-nexus threat actors.” concludes the report. “The use of advanced techniques like supply chain compromise, multi-layered social engineering, and the abuse of legitimate cloud services demonstrates the actor’s capacity for persistent and adaptive espionage. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, APT24)
