Malware & Threats

Chinese Cyberspies Deploy ‘BadAudio’ Malware via Supply Chain Attacks

APT24 has been relying on various techniques to drop the BadAudio downloader and then deploy additional payloads.

APT24 BadAudio supply-chain

A Chinese threat actor tracked as APT24 has been observed employing multiple techniques to deploy malware as part of a three-year-long cyberespionage campaign, Google reports.

Also tracked as G0011, Pitty Panda, and Pitty Tiger, APT24 has been active since at least 2008, mainly relying on spear phishing and social engineering to achieve its goals.

As part of the long-standing campaign tracked by Google Threat Intelligence Group (GTIG), the APT has updated its techniques, adding strategic web compromises, and the repeated compromise of a regional digital marketing firm in supply chain attacks against organizations in Taiwan.

In these attacks, APT24 has used a custom C++ first-stage downloader dubbed BadAudio, designed to fetch, decrypt, and execute an AES-encrypted payload from its hardcoded command-and-control (C&C) server.

“The malware collects basic system information, encrypts it using a hard-coded AES key, and sends it as a cookie value with the GET request to fetch the payload,” which is decrypted using the same key, and then executed in memory, GTIG explains.

BadAudio is deployed as a DLL and uses search order hijacking for execution. Recent versions have been dropped in archives also containing VBS, BAT, and LNK files, designed to automate the malware’s placement, to achieve persistence, and trigger the DLL’s sideloading.

Advertisement. Scroll to continue reading.

In one attack, the hackers used BadAudio to deploy a Cobalt Strike beacon containing a relatively unique watermark observed in another APT24 campaign. However, it is unclear if Cobalt Strike was deployed in all incidents.

Starting in November 2022, the APT has compromised at least 20 websites, injecting a malicious JavaScript payload that would target Windows systems for reconnaissance and victim validation. Subsequently, a pop-up dialog would be displayed to convince the victim to download and run BadAudio.

In July 2024, the hackers compromised a regional digital marketing firm in Taiwan, affecting over 1,000 domains as part of the supply chain attack. Over the past year, the APT re-compromised the firm multiple times.

Initially, the threat actor injected a malicious script into a JavaScript library provided by the marketing firm. In a re-compromise identified in July 2025, they placed the script in a JSON file loaded by another modified JavaScript file.

In June 2025, the APT employed conditional script loading based on the ID of the websites loading the compromised third-party scripts, pointing to the tailored targeting of a single domain. In August, however, the conditions were lifted and 1,000 sites loaded the malicious script.

Simultaneously, the group conducted highly targeted social engineering attacks. It was also seen abusing legitimate cloud storage platforms for malware distribution and using pixel tracking links to keep track of victims opening their emails.

“This nearly three-year campaign is a clear example of the continued evolution of APT24’s operational capabilities and highlights the sophistication of [China]-nexus threat actors. The use of advanced techniques like supply chain compromise, multi-layered social engineering, and the abuse of legitimate cloud services demonstrates the actor’s capacity for persistent and adaptive espionage,” GTIG notes.

Related: MI5 Warns Lawmakers That Chinese Spies Are Trying to Reach Them via LinkedIn

Related: CISA Updates Guidance on Patching Cisco Devices Targeted in China-Linked Attacks

Related: Google Says Chinese ‘Lighthouse’ Phishing Kit Disrupted Following Lawsuit  

Related: Chinese APT Uses ‘Airstalk’ Malware in Supply Chain Attacks

Related Content

Network Security

Cisco says the threat actor behind the LapDogs campaign has expanded its SOHO router malware toolkit with LongLeash, DogLeash, and JarLeash backdoors.

Cybercrime

The threat actor uses modular RATs and information stealers in financially motivated and cyber espionage campaigns.

Malware & Threats

The threat actor is focused on collecting credentials, SSH keys, cryptocurrency wallets, and development tooling.

Cybercrime

Threat actors are selling investment scam templates created using the legitimate DCloud Uni-App toolkit.

Malware & Threats

Turla has been using the backdoor against government and military organizations in Ukraine for espionage.

Cybercrime

Hundreds of C&C servers were disrupted in an operation involving law enforcement and several cybersecurity companies.

Malware & Threats

Mistic is used by Woodgnat, an initial access broker working with Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

Malware & Threats

CryptoBandits uses a local SOCKS5 proxy for traffic routing, blending data theft with remote code execution.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version