A sophisticated, China-nexus threat actor known as APT24 has been conducting a persistent espionage campaign for nearly three years, leveraging a previously undocumented malware called BADAUDIO. This campaign has primarily targeted organizations in Taiwan, employing advanced techniques like supply chain attacks and strategic web compromises.

Key Takeaways

• APT24, also known as Pitty Tiger, has been active since at least 2008.

• The BADAUDIO malware is a highly obfuscated C++ downloader used for initial access and payload delivery.

• The campaign has evolved from broad web compromises to more targeted attacks, including supply chain attacks via a regional digital marketing firm.

• APT24 has also utilized phishing campaigns and exploited known software vulnerabilities.

Evolution of APT24's Tactics

Initially, APT24 relied on widespread strategic web compromises to infect legitimate websites. However, recent operations show a shift towards more sophisticated methods. Researchers from Google Threat Intelligence Group (GTIG) observed APT24 targeting organizations in Taiwan through repeated compromises of a regional digital marketing firm. This allowed them to execute supply chain attacks, injecting malicious JavaScript into a widely used library distributed by the firm, thereby compromising over 1,000 domains.

The BADAUDIO Malware

BADAUDIO is a highly obfuscated malware written in C++ that utilizes control flow flattening to hinder reverse engineering. It functions as a first-stage downloader, capable of fetching, decrypting, and executing an AES-encrypted payload from a hard-coded command and control (C2) server. It gathers basic system information and exfiltrates it, receiving a payload in return, which has included Cobalt Strike Beacon in some instances.

BADAUDIO typically manifests as a malicious Dynamic Link Library (DLL) that exploits DLL Search Order Hijacking for execution through legitimate applications. Recent variants have been observed within encrypted archives containing BADAUDIO DLLs alongside VBS, BAT, and LNK files.

Campaign Execution and Targeting

From November 2022 to at least early September 2025, APT24 compromised over 20 legitimate websites. They injected malicious JavaScript code designed to exclude visitors from macOS, iOS, and Android, generate unique browser fingerprints, and present a fake pop-up urging users to download BADAUDIO as a Google Chrome update.

Starting in July 2024, the breach of a regional digital marketing firm in Taiwan enabled a supply chain attack. The modified third-party script would contact a typosquatted domain impersonating a legitimate Content Delivery Network (CDN) to fetch attacker-controlled JavaScript. This script would fingerprint the machine and serve the BADAUDIO download pop-up. While initially tailored to specific domains, for a ten-day period in August, these restrictions were lifted, allowing all 1,000 domains using the compromised scripts to be affected.

Phishing and Past Activities

APT24 has also employed targeted phishing attacks since August 2024, using lures related to an animal rescue organization. These emails, hosted on Google Drive and Microsoft OneDrive, trick recipients into responding and ultimately delivering BADAUDIO via encrypted archives. Tracking pixels are used to confirm email opens and tailor subsequent efforts.

Past malware families associated with APT24 include CT RAT, MM RAT (Goldsun-B), Paladin RAT, Leo RAT, and the Taidoor backdoor. The group is assessed to be closely related to APT group Earth Aughisky.

Broader Context

This disclosure coincides with reports of another sustained espionage campaign, codenamed Autumn Dragon, targeting government, media, and news sectors in Southeast Asian countries like Laos, Cambodia, Singapore, the Philippines, and Indonesia. While not directly tied to APT24, this campaign also exhibits characteristics of China-nexus threat actors, employing techniques like DLL side-loading and exploiting vulnerabilities such as CVE-2025-8088 in WinRAR.

Sources

• APT24 Deploys BADAUDIO in Years-Long Espionage Hitting Taiwan and 1,000+ Domains, The Hacker News.