APT24, a sophisticated cyber espionage group linked to China has been running a relentless three year campaign utilizing BadAudio, a highly obfuscated first stage downloader. This malware is designed to establish persistent network access to targeted organizations.
The threat actor has demonstrated remarkable adaptability, pivoting its strategy from broad strategic web compromises to precision targeted attacks focusing heavily on Taiwan based entities. This operational evolution showcases an alarming trend of combining multiple attack
vectors, including supply chain compromises targeting regional digital marketing firms and spear phishing campaigns exploiting organizational trust.
The Evolution of BadAudio
The emergence of BadAudio represents a significant escalation in APT24’s technical capabilities. Beginning in November 2022, the group weaponized over twenty legitimate websites by injecting malicious JavaScript payloads. This watering hole approach redirected unsuspecting visitors to attacker-controlled infrastructure, demonstrating the group’s willingness to cast a wide net while selectively targeting victims identified through advanced fingerprinting techniques.
Google Cloud security analysts identified the BadAudio malware as a custom first stage downloader written in C++. It is engineered to download, decrypt, and execute AES encrypted payloads from hardcoded command and control servers. The malware quietly collects basic system information like hostname and username, encrypts it, and embeds it within cookie parameters sent to attacker-controlled endpoints. This subtle beaconing technique significantly complicates traditional network-based detection approaches, enabling prolonged persistence without triggering security alerts.
Technical Sophistication and Delivery
The technical sophistication of BadAudio includes control flow flattening, an advanced obfuscation technique that systematically dismantles a program’s natural logic structure to hinder analysis.
The malware manifests primarily as a malicious Dynamic Link Library (DLL), leveraging DLL Search Order Hijacking to gain execution through legitimate applications. Recent variants use encrypted archives containing the BadAudio DLLs alongside VBS, BAT, and LNK files that automate placement and persistence mechanisms. Subsequent payloads, decrypted using hardcoded AES keys, have been confirmed as Cobalt Strike Beacon in identified instances, granting full remote access capabilities to compromised networks.
APT24 has recently pivoted toward more targeted delivery mechanisms. The group has executed sophisticated supply chain compromises targeting regional digital marketing firms in Taiwan, enabling attacks that affect multiple organizations simultaneously. Phishing
campaigns have also been observed leveraging social engineering tactics, including misleading emails purporting to originate from animal rescue organizations, which drive direct malware downloads from attacker-controlled infrastructure. Furthermore, the group abuses legitimate cloud storage platforms, including Google Drive and OneDrive, to distribute encrypted archives, leveraging trusted services for malicious purposes.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
