Ethical Hacking News
Google Threat Intelligence Group (GTIG) has identified a long-running and adaptive cyber espionage campaign by APT24, a People's Republic of China (PRC)-nexus threat actor. This report provides actionable intelligence for defenders seeking to detect and mitigate the BADAUDIO malware, which has been employed in various tactics such as strategic web compromises, supply chain attacks, and spear phishing campaigns. Stay informed about emerging threats and how to protect yourself with the latest insights from Google Threat Intelligence Group.
APT24, affiliated with the PRC, has been using advanced cyber espionage techniques to establish persistent access to victim networks. The BADAUDIO campaign, which started in 2022, is an example of APT24's adaptability and sophisticated tactics. APT24 compromised legitimate websites across various subjects, including regional industrial concerns and recreational goods, using web compromises with fingerprinting to select targets. The attackers tricked users into downloading and executing BADAUDIO malware through a fabricated pop-up dialog. APT24's tactics have evolved to include supply chain attacks, spear phishing campaigns, and repeated compromise of regional digital marketing firms in Taiwan. The BADAUDIO malware uses control flow flattening, DLL Search Order Hijacking, and encrypted archives to execute and establish persistence in compromised networks. The malware collects rudimentary host information, embeds it in a cookie parameter, and complicates network-based detection. Apt24's adaptability and sophistication make it essential for defenders to remain vigilant and employ effective countermeasures to detect and mitigate this persistent threat.
The threat actor APT24, affiliated with the People's Republic of China (PRC), has been actively utilizing advanced cyber espionage techniques to establish persistent access to victim networks. The BADAUDIO campaign, which commenced in 2022, is a prime example of this adversary's adaptability and sophisticated tactics.
The initial phase of the campaign involved strategic web compromises, where APT24 weaponized legitimate websites across various subjects, including regional industrial concerns and recreational goods. This approach allowed the attackers to capitalize on opportunistic access points, with true targeting selectively executed against visitors identified via fingerprinting. The malicious JavaScript payload injected onto these compromised sites employed FingerprintJS library to generate a unique browser fingerprint, which served as an implicit validation mechanism for potential victims.
Upon successful validation, the victim was presented with a fabricated pop-up dialog engineered to trick users into downloading and executing BADAUDIO malware. This tactic not only ensured the attackers' success but also provided them with a means of establishing persistence through legitimate executable startup entries and sideloading the malicious DLL.
A notable escalation in APT24's tactics occurred when they compromised a regional digital marketing firm in Taiwan, which resulted in over 1,000 domains being impacted. This supply chain attack demonstrated the adversary's persistent commitment to the operation, highlighting their ability to adapt and refine their strategies based on lessons learned from previous engagements.
The firm experienced multiple re-compromises over the last year, indicating APT24's focus on establishing a long-term presence within the compromised networks. In response to these events, Google Threat Intelligence Group (GTIG) developed custom logic to identify and block the modified JavaScript payloads, distributed victim notifications with specific details about the threat, and enabled affected organizations to secure their sites and prevent future infections.
Furthermore, GTIG observed a pivot towards more sophisticated vectors targeting organizations in Taiwan. This included repeated compromise of regional digital marketing firms, spear phishing campaigns, and an increased emphasis on supply chain attacks. The attackers consistently shift their infrastructure, using a mix of newly registered domains and previously compromised ones.
The BADAUDIO malware is engineered with control flow flattening—a sophisticated obfuscation technique that systematically dismantles a program's natural, structured logic. This method replaces linear code with a series of disconnected blocks governed by a central "dispatcher" and a state variable, forcing analysts to manually trace each execution path and significantly impeding both automated and manual reverse engineering efforts.
The malware leverages DLL Search Order Hijacking (MITRE ATT&CK T1574.001) for execution via legitimate applications, typically manifesting as a malicious Dynamic Link Library (DLL). Recent variants observed indicate a refined execution chain: encrypted archives containing BADAUDIO DLLs along with VBS, BAT, and LNK files.
These supplementary files automate the placement of the BADAUDIO DLL and a legitimate executable into user directories, establish persistence through legitimate executable startup entries, and trigger the DLL sideloading. This multi-layered approach to execution and persistence minimizes direct indicators of compromise.
Upon execution, BADAUDIO collects rudimentary host information: hostname, username, and system architecture. The collected data is then hashed and embedded within a cookie parameter in the C2 request header. This technique provides a subtle yet effective method for beaconing and identifying compromised systems, complicating network-based detection.
In one of these cases, the subsequent payload, decrypted using a hard-coded AES key, has been confirmed as Cobalt Strike Beacon. However, it is not confirmed that Cobalt Strike is present in every instance. The Beacon payload contained a relatively unique watermark that was previously observed in a separate APT24 campaign, shared in the Indicators of Compromise section.
Cobalt Strike watermarks are a unique value generated from and tied to a given "CobaltStrike.auth" file. This value is embedded as the last 4 bytes for all BEACON stagers and in the embedded configuration for full backdoor BEACON samples.
A notable evolution in APT24's delivery mechanisms has been observed, with the repeated compromise of regional digital marketing firms in Taiwan and spear phishing campaigns becoming increasingly common. The attackers consistently shift their infrastructure, using a mix of newly registered domains and previously compromised ones to maintain operational flexibility.
The BADAUDIO malware is a prime example of this adversary's adaptability and sophisticated tactics, as well as APT24's ability to pivot towards more advanced vectors targeting organizations in Taiwan. This article provides a technical analysis of the BADAUDIO malware, details the evolution of APT24's delivery mechanisms from 2022 to present, and offers actionable intelligence to help defenders detect and mitigate this persistent threat.
The Google Threat Intelligence Group (GTIG) has been actively tracking APT24's activities, utilizing their research findings to improve the safety and security of Google's products and users. Upon discovery, all identified websites, domains, and files are added to the Safe Browsing blocklist in order to protect web users across major browsers.
In conclusion, APT24's evolving tactics pose a significant threat to organizations worldwide. Their ability to adapt and refine their strategies based on lessons learned from previous engagements has enabled them to maintain operational flexibility and establish persistent access to compromised networks. It is essential for defenders to remain vigilant and employ effective countermeasures to detect and mitigate this persistent threat.
Related Information:
https://www.ethicalhackingnews.com/articles/APT24s-Evolving-Tactics-Unpacking-the-BADAUDIO-Campaign-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/
Published: Thu Nov 20 09:08:26 2025 by llama3.2 3B Q4_K_M
