A China-aligned threat group known as APT24 has spent nearly three years quietly infiltrating networks across Taiwan using a previously unknown piece of malware named BADAUDIO, according to new findings from Google’s Threat Intelligence Group (GTIG).
GTIG researchers Harsh Parashar, Tierra Duncan, and Dan Perez said the group has moved away from its earlier, broad website compromises and now favors more precise intrusion methods that offer deeper and longer-lasting access. Central to this shift is the repeated breach of a well-known digital marketing firm in Taiwan, allowing the attackers to launch supply chain attacks through trusted third-party JavaScript libraries.
APT24 also tracked as Pitty Tiger is believed to be active since at least 2008. Over the years, the group has targeted government bodies, telecom firms, nonprofits, and high-value industries in the U.S. and Taiwan. Their operations often revolve around stealing intellectual property that could help Chinese state-owned enterprises gain competitive advantages.
Long History, Familiar Tactics
Earlier investigations from FireEye linked APT24 to a range of malware families such as CT RAT, MM RAT, variants of Gh0st RAT, and the Taidoor backdoor. The group has historically relied on spear-phishing emails carrying malicious documents that exploit well-known Microsoft Office vulnerabilities.
APT24 is also closely connected to another China-backed cluster known as Earth Aughisky, which has used overlapping infrastructure and delivered backdoors like Specas alongside Taidoor.
BADAUDIO: A New Stealthy Downloader
GTIG’s latest report reveals that BADAUDIO has been active since November 2022. Written in C++ and heavily obfuscated through control-flow flattening, the malware acts as a first-stage downloader. It extracts and sends basic system information to a command-and-control server, which then responds with an AES-encrypted payload. In at least one confirmed case, that payload was a Cobalt Strike Beacon.
The malware typically arrives as a malicious DLL launched through DLL Search Order Hijacking, using trusted applications to mask its execution. More recent versions have been delivered through encrypted archives packaged with VBS, BAT, and LNK files, creating a multi-layered and difficult-to-analyze execution chain.
Watering Holes and Supply Chain Compromise
Between late 2022 and early September 2025, APT24 compromised more than 20 legitimate websites, injecting JavaScript that fingerprinted visitors and served a fake Google Chrome update prompting them to download BADAUDIO. Notably, the script was configured to exclude macOS, iOS, and Android devices, signaling a clear focus on Windows targets.
The group escalated further in July 2024, when it breached a regional digital marketing firm. By tampering with a widely used JavaScript library distributed by the company, APT24 gained access to over 1,000 domains. A typosquatted CDN domain delivered the fingerprinting script and the malware download prompts.
A brief lapse in targeting restrictions in August 2025 allowed all websites using the compromised library to be exposed for ten days before the attackers reimposed selective filtering.
Targeted Phishing for Additional Access
Since August 2024, APT24 has also carried out spear-phishing attacks using lures tied to an animal rescue organization. These emails, sent via Google Drive and Microsoft OneDrive, delivered encrypted archives containing BADAUDIO. Tracking pixels embedded in the messages allowed the group to confirm when targets opened the email and adjust follow-up attempts.
GTIG noted that the combined use of supply chain abuse, tailored phishing, and legitimate cloud services demonstrates the group’s ability to adapt and sustain long-term access for espionage purposes.
Additional Regional Activity Connected to China-Nexus Actors
Around the same time frame, security firm CyberArmor uncovered a separate but related espionage effort targeting government, media, and news organizations across Southeast Asia. Codenamed Autumn Dragon, the campaign targeted Laos, Cambodia, Singapore, the Philippines, and Indonesia.
Attackers used spear-phishing emails delivering a RAR archive exploiting a WinRAR vulnerability (CVE-2025-8088). This launched a batch script that established persistence and downloaded a second archive from Dropbox, triggering a DLL side-loading chain that communicated with operators via Telegram.
The final payload, a lightweight C++ implant, contacted a server on public.megadatacloud[.]com and supported commands for remote execution, file operations, and shellcode injection. Cloudflare-protected infrastructure and geo-restrictions hinted at deliberate, target-specific execution.
Source : The Hacker News
