China’s APT24 Launches Stealth BADAUDIO Malware, Hitting 1,000+ Domains via Taiwanese Supply Chain Hack
Ddos 
Compromised JS supply chain attack to deliver BADAUDIO malware | Image: GTIG
Google’s Threat Intelligence Group (GTIG) has released a comprehensive analysis exposing a long-running and adaptive cyber-espionage campaign conducted by APT24, a threat actor with strong ties to the People’s Republic of China (PRC). The operation spans at least three years and centers on the deployment of BADAUDIO, a heavily obfuscated first-stage downloader designed to establish persistent access to targeted networks—particularly across organizations in Taiwan.
The analysis reveals that BADAUDIO is a custom C++ first-stage downloader that:
- Collects system info
- Encrypts it using a hard-coded AES key
- Exfiltrates the data via cookies inside GET requests
- Downloads and decrypts an encrypted payload
- Executes the payload in memory, typically as Cobalt Strike Beacon
The report provides a real-world sample of this behavior: “The BADAUDIO malware is a custom first-stage downloader… that downloads, decrypts, and executes an AES-encrypted payload from a hard-coded command and control (C2) server.”
GTIG notes that in one confirmed case, the decrypted payload was Cobalt Strike Beacon, tagged with a unique watermark previously linked to APT24.
The code-level sophistication of BADAUDIO stands out. GTIG highlights the use of control flow flattening, a deep obfuscation technique that transforms readable logic into a tangled, state-based dispatcher.
“The malware is engineered with control flow flattening… forcing analysts to manually trace each execution path and significantly impeding… reverse engineering efforts.”
BADAUDIO is typically delivered as a malicious DLL and executed via DLL Search Order Hijacking (MITRE ATT&CK T1574.001). GTIG observed multi-file execution chains—including VBS, BAT, and LNK files—to automate installation and persistence.
GTIG outlines a clear progression of APT24’s delivery methods:
- Strategic Web Compromise (2022–2023)
- Supply Chain Compromise of a Taiwanese Marketing Firm (2024–2025)
- Targeted Spear-Phishing Campaigns (2025)
1. Strategic Web Compromises
Beginning in November 2022, APT24 compromised more than 20 legitimate websites focused on industrial and recreational sectors.
The injected JavaScript performs:
- Browser & OS filtering (excluding macOS, iOS, Android)
- Fingerprinting using FingerprintJS
- Conditional pop-ups impersonating Chrome updates
GTIG explains, “Upon successful validation, the victim was presented with a fabricated pop-up dialog engineered to trick the user into downloading and executing BADAUDIO malware.”
2. Massive Supply Chain Attack via Taiwanese Marketing Firm
One of the most impactful developments occurred in mid-2024: “In July 2024, APT24 compromised a regional digital marketing firm in Taiwan- a supply chain attack that impacted more than 1,000 domains.”
GTIG observed:
- Repeated re-compromises of the firm
- A maliciously modified JavaScript library
- A multi-stage infection chain concealed inside JSON files
- Exfiltration of fingerprinting data via POST requests
- Conditional deployment of BADAUDIO
The report emphasizes the sophistication: “The highly obfuscated script… was deliberately placed within a maliciously modified JSON file… This tactic effectively concealed the final payload.”
For ten days in August 2025, attackers lifted all restrictions—infecting the entire ecosystem of 1,000+ client websites simultaneously.
3. Precision Spear-Phishing and Cloud Abuse
APT24 complemented its large-scale operations with targeted phishing: “Lures, such as an email purporting to be from an animal rescue organization, leveraged social engineering to elicit user interaction.”
These campaigns also abused cloud platforms:
- Google Drive
- Microsoft OneDrive
GTIG notes, “Separate campaigns abused legitimate cloud storage platforms including Google Drive and OneDrive to distribute encrypted archives containing BADAUDIO.”
The GTIG report highlights one of the most persistent, adaptive, and technically sophisticated PRC-nexus cyber campaigns observed in recent years.
Given the scale of the Taiwanese supply chain compromise and the sophisticated design of BADAUDIO, experts expect APT24’s campaigns to continue evolving.
Related Posts:
- Google: Zero-Day Exploits Shift from Browsers to Enterprise Security Tools in 2024
- LegionLoader Malware Downloader Resurfaces with 2,000+ New Samples
- YouTube Downloader Sites Are Now Hiding Proxyware to Hijack Your Bandwidth
- The Safe C++ Extensions Proposal: Strengthening Security in a Complex Ecosystem
Donate