Ethical Hacking News
China-linked hackers used BadAudio malware in a three-year espionage campaign targeting Windows systems via multiple attack vectors, with APT24's tactics becoming increasingly stealthy over time.
APT24 is a sophisticated malware campaign used by China-linked hackers for three years of espionage. The malware, called BadAudio, has evolved to evade detection and become more sophisticated in its methods. Apt24 compromised legitimate public websites to inject malicious JavaScript code targeting Windows systems. The attackers also launched spearphishing operations using emails impersonating animal rescue organizations. BadAudio downloads an AES-encrypted payload from the C2, decrypts it, and executes it in memory for evasion. The malware is heavily obfuscated to evade detection and hinder analysis.
Google has recently exposed a sophisticated malware campaign known as APT24, which has been used by China-linked hackers for the past three years to carry out espionage. At the heart of this campaign is a piece of malware called BadAudio, which has been employed through various attack vectors, including spearphishing, supply-chain compromise, and watering hole attacks.
The first detection of BadAudio was in November 2022. Since then, researchers at Google Threat Intelligence Group (GTIG) have uncovered that the malware has evolved over time to evade detection and become more sophisticated in its methods. In this article, we will delve into the details of APT24's espionage campaign and explore the capabilities of the BadAudio malware.
One of the key methods used by APT24 was to compromise legitimate public websites from various domains. These sites were then used to inject malicious JavaScript code that targeted Windows systems. The script fingerprinted visitors who qualified as targets, loaded a fake software update pop-up, and lured them into downloading BadAudio.
This technique continued until at least September 2025, with over 20 compromised websites serving as part of the malware campaign. APT24's tactics were largely successful in keeping the malware undetected for an extended period.
Starting from July 2024, APT24 compromised a digital marketing company in Taiwan that provides JavaScript libraries to client websites. This tactic allowed the attackers to inject malicious JavaScript into a widely used library and register a domain name that impersonated a legitimate Content Delivery Network (CDN). As a result, over 1,000 domains were compromised.
In late 2024 until July 2025, APT24 repeatedly compromised the same marketing firm by injecting malicious, obfuscated JavaScript into a modified JSON file. This injected code fingerprinted each website visitor and sent a base64-encoded report to the attackers' server. From there, they could decide whether or not to reply with the next-stage URL.
In parallel, starting from August 2024, APT24 launched spearphishing operations that delivered BadAudio malware using emails impersonating animal rescue organizations. In some variants of these attacks, APT24 used legitimate cloud services like Google Drive and OneDrive for malware distribution instead of their own servers. However, many attempts were detected, and the messages ended up in the spam box.
The researchers found that the emails included tracking pixels to confirm when recipients opened them. Despite this, only a few instances were reported by security solutions, suggesting that APT24's tactics had become more stealthy over time.
According to GTIG’s analysis, the BadAudio malware is heavily obfuscated to evade detection and hinder analysis. It achieves execution through DLL search order hijacking, a technique that allows a malicious payload to be loaded by a legitimate application. The malware collects basic system details (hostname, username, architecture), encrypts this information using a hard-coded AES key, and sends it to a hard-coded command-and-control (C2) address.
Once executed on a target device, BadAudio downloads an AES-encrypted payload from the C2, decrypts it, and executes it in memory for evasion using DLL sideloading. In at least one case, researchers observed the deployment of the Cobalt Strike Beacon via BadAudio, a widely abused penetration-testing framework.
GTIG highlights that despite using BadAudio for three years, APT24's tactics succeeded in keeping it largely undetected. From eight samples provided by researchers, only two are flagged as malicious by more than 25 antivirus engines on the VirusTotal scanning platform. The rest of the samples, with a creation date of December 7, 2022, are detected by up to five security solutions.
The evolution towards stealthier attacks is attributed to APT24's operational capabilities and its capacity for persistent and adaptive espionage. As such, it’s imperative that users keep their systems updated and implement robust security measures to mitigate the risk posed by sophisticated malware campaigns like this one.
Related Information:
https://www.ethicalhackingnews.com/articles/APT24s-Three-Year-Espionage-Campaign-The-Rise-of-BadAudio-Malware-ehn.shtml
https://www.bleepingcomputer.com/news/security/google-exposes-badaudio-malware-used-in-apt24-espionage-campaigns/
https://cloud.google.com/security/resources/insights/apt-groups
https://www.cyberwarcon.com/poisoned-waters-dive-into-apt24s-multi-pronged-badaudio-espionage-campaign
Published: Thu Nov 20 16:26:33 2025 by llama3.2 3B Q4_K_M
