APT24’s BADAUDIO Malware: A Three-Year Cyber Espionage Campaign Targeting Taiwan and Over 1,000 Domains
A sophisticated cyber espionage campaign has been uncovered, revealing that the China-linked threat actor known as APT24, or Pitty Tiger, has been deploying a previously undocumented malware named BADAUDIO. This operation, spanning nearly three years, has primarily targeted organizations in Taiwan, compromising over 1,000 domains.
APT24’s Evolution in Cyber Tactics
Historically, APT24 relied on broad strategic web compromises to infiltrate legitimate websites. However, recent findings indicate a shift towards more sophisticated methods, including supply chain attacks and targeted phishing campaigns. According to researchers from Google’s Threat Intelligence Group (GTIG), this evolution underscores the group’s adaptability and persistence in cyber espionage activities.
Targeted Sectors and Geographical Focus
APT24 has a history of targeting various sectors, including government, healthcare, construction and engineering, mining, non-profit, and telecommunications, primarily in the U.S. and Taiwan. Their operations are often aimed at intellectual property theft, focusing on information that provides competitive advantages to organizations.
Historical Context and Malware Arsenal
Active since at least 2008, APT24 has employed phishing emails containing malicious Microsoft Office documents to exploit known software vulnerabilities, such as CVE-2012-0158 and CVE-2014-1761. Their malware arsenal includes CT RAT, MM RAT (also known as Goldsun-B), and variants of Gh0st RAT like Paladin RAT and Leo RAT. Notably, they have also utilized a backdoor named Taidoor (aka Roudan).
Connection to Earth Aughisky
APT24 is closely associated with another advanced persistent threat group known as Earth Aughisky. Both groups have deployed Taidoor in their campaigns and have shared infrastructure in attacks distributing another backdoor referred to as Specas. These malware strains are designed to read proxy settings from a specific file located at %systemroot%\system32\sprxx.dll.
The BADAUDIO Campaign: A Deep Dive
The BADAUDIO campaign, active since November 2022, employs multiple initial access vectors, including watering holes, supply chain compromises, and spear-phishing. BADAUDIO is a highly obfuscated malware written in C++ that uses control flow flattening to resist reverse engineering. It functions as a first-stage downloader capable of downloading, decrypting, and executing an AES-encrypted payload from a hard-coded command and control (C2) server. The malware gathers and exfiltrates basic system information to the server, which responds with the payload to be executed on the host. In one observed instance, this payload was a Cobalt Strike Beacon.
Execution Mechanism and Infection Chain
BADAUDIO typically manifests as a malicious Dynamic Link Library (DLL) leveraging DLL Search Order Hijacking (MITRE ATT&CK T1574.001) for execution via legitimate applications. Recent variants indicate a refined execution chain involving encrypted archives containing BADAUDIO DLLs along with VBS, BAT, and LNK files.
Strategic Web Compromises and Supply Chain Attacks
Between November 2022 and early September 2025, APT24 compromised over 20 legitimate websites by injecting malicious JavaScript code. This code was designed to exclude visitors from macOS, iOS, and Android platforms, generate unique browser fingerprints using the FingerprintJS library, and serve fake pop-ups urging users to download BADAUDIO under the guise of a Google Chrome update.
In July 2024, the group escalated their tactics by breaching a regional digital marketing firm in Taiwan. They injected malicious JavaScript into a widely used JavaScript library distributed by the company, effectively hijacking more than 1,000 domains. The modified third-party script reached out to a typosquatted domain impersonating a legitimate Content Delivery Network (CDN) to fetch attacker-controlled JavaScript. This script fingerprinted the machine and served the pop-up to download BADAUDIO after validation.
Targeted Phishing Campaigns
Since August 2024, APT24 has conducted targeted phishing attacks using lures related to an animal rescue organization. These campaigns aimed to trick recipients into responding and ultimately deliver BADAUDIO via encrypted archives hosted on platforms like Google Drive and Microsoft OneDrive. The phishing emails included tracking pixels to confirm whether the emails were opened, allowing the attackers to tailor their efforts accordingly.
Implications and Recommendations
The use of advanced techniques such as supply chain compromises, multi-layered social engineering, and the abuse of legitimate cloud services demonstrates APT24’s capacity for persistent and adaptive espionage. Organizations, especially those in targeted sectors and regions, should enhance their cybersecurity measures by:
– Regularly updating and patching software to mitigate known vulnerabilities.
– Implementing robust email filtering to detect and block phishing attempts.
– Conducting employee training to recognize and report suspicious activities.
– Monitoring network traffic for unusual patterns that may indicate a compromise.
By adopting these proactive measures, organizations can better defend against sophisticated threat actors like APT24 and protect their sensitive information from cyber espionage activities.
