BADAUDIO Malware

Cybersecurity vigilance remains essential as threat actors continually refine their tactics and strategies. A China-linked group known as APT24 has been deploying a previously undocumented malware called BADAUDIO to maintain long-term access to targeted networks. This activity is part of a campaign that has spanned nearly three years, highlighting the sophisticated and adaptive methods used by advanced persistent threats (APTs).

From Broad Attacks to Targeted Operations

Initially, APT24 relied on broad strategic web compromises to infect legitimate websites. Over time, the group has shifted focus toward more precise targeting, especially organizations in Taiwan. Key methods include:

• Supply chain attacks, such as repeated compromises of a regional digital marketing firm to distribute malicious scripts.
• Spear-phishing campaigns targeting specific individuals or organizations.

APT24, also known as Pitty Tiger, has historically focused on sectors including government, healthcare, construction and engineering, mining, nonprofit, and telecommunications in the U.S. and Taiwan. Evidence suggests the group has been active since at least 2008, leveraging phishing emails containing malicious Microsoft Office documents that exploit vulnerabilities such as CVE-2012-0158 and CVE-2014-1761.

Malware Arsenal: From RATs to BADAUDIO

APT24 has deployed a wide array of malware families:

• CT RAT
• M RAT (Goldsun-B), a variant of Enfal/Lurid Downloader
• Paladin RAT and Leo RAT, variants of Gh0st RAT
• Taidoor (Roudan) backdoor

The newly observed BADAUDIO stands out for its sophistication. Written in C++, it is highly obfuscated and employs control flow flattening to resist reverse engineering. It acts as a first-stage downloader, capable of retrieving, decrypting, and executing an AES-encrypted payload from a hard-coded Command-and-Control (C2) server.

BADAUDIO typically operates as a malicious DLL, leveraging DLL Search Order Hijacking for execution via legitimate applications. Recent variants are delivered as encrypted archives containing DLLs alongside VBS, BAT, and LNK files.

The BADAUDIO Campaign: Techniques and Execution

The BADAUDIO campaign, ongoing since November 2022, has relied on multiple initial access vectors:

• Watering holes
• Supply chain compromises
• Spear-phishing emails

From 2022 to early 2025, APT24 compromised over 20 legitimate websites, injecting JavaScript that:

• Excluded visitors from macOS, iOS, and Android.
• Generated unique browser fingerprints using FingerprintJS.
• Displayed pop-ups urging users to download BADAUDIO disguised as a Google Chrome update.

In July 2024, the group escalated with a supply chain attack via a regional digital marketing firm in Taiwan, injecting malicious JavaScript into a widely distributed library. This affected more than 1,000 domains.

The attack used a typosquatted CDN domain to fetch attacker-controlled scripts, fingerprint machines, and serve fake pop-ups. A conditional script loading mechanism introduced in June 2025 enabled tailored targeting of individual domains, although a brief lapse in August allowed all 1,000 domains to be compromised before the restriction was reinstated.

Advanced Phishing and Social Engineering

Since August 2024, APT24 has conducted highly targeted phishing campaigns, using lures like animal rescue organizations. Victims receive encrypted archives containing BADAUDIO via Google Drive or Microsoft OneDrive, with tracking pixels to monitor engagement and optimize attacks.
The combination of supply chain manipulation, advanced social engineering, and cloud service abuse demonstrates APT24's capability for persistent, adaptive espionage.

APT24's operations illustrate the growing complexity of state-linked cyber threats, emphasizing the need for organizations to implement rigorous security monitoring, verify software integrity, and educate personnel on sophisticated phishing and supply chain risks.