APT24 Used ‘BadAudio’ Malware in 3-Year Espionage Campaign Hitting 1,000+ Sites
Google has disclosed a years-long intelligence operation revealing that APT24, a China-linked threat group, had been deploying a previously unknown malicious tool called BadAudio. The campaign stretched across three years, gradually shifting toward more covert techniques and targeting both individual devices and elements of the broader supply chain. Although the malware had been in active use for a considerable time, it was only recently identified through analysis conducted by the Google Threat Intelligence Group.
According to researchers, the malicious code propagated through several vectors. Since 2022, APT24 actors have distributed it via phishing emails, fraudulent software updates, and compromised websites. Over the course of three years, more than twenty legitimate sites were altered to host injected scripts. These snippets profiled incoming visitors and, upon matching certain criteria, triggered a fake Windows-style update popup prompting users to download BadAudio.
The operation later pivoted toward attacks on web-component suppliers. In the summer of 2024, APT24 repeatedly breached the infrastructure of a Taiwanese marketing firm responsible for distributing JavaScript libraries. Through this access, the attackers embedded malicious code into a widely used component and registered a domain crafted to resemble a legitimate content-delivery service.
This combination enabled silent interference across more than a thousand websites. By late 2024, the same company was targeted again—this time with attackers replacing a JSON file from which modified scripts were subsequently loaded. These scripts harvested visitor metadata and transmitted it to a remote server, where automated logic determined the next steps.
APT24 simultaneously conducted targeted email campaigns masquerading as animal-welfare organizations. To deliver BadAudio, they relied on cloud-storage platforms such as Google Drive and OneDrive, increasing the likelihood of trust. The emails contained tracking pixels to confirm whether they had been opened. While many were automatically blocked, a portion nonetheless reached intended recipients.
Google’s analysis shows that BadAudio was engineered for extreme resistance to scrutiny. Its logic is concealed within heavily obfuscated structures, including a flattened control-flow design in which execution is dispersed into isolated fragments governed by an internal state machine. The malware is launched through DLL search-order hijacking, causing a legitimate application to inadvertently load a malicious component.
Once executed, BadAudio gathers device information, encrypts it using an embedded AES key, and sends it to a predetermined command-and-control server. It then downloads an encrypted payload, decrypts it, and executes it in memory through library-substitution techniques. In one observed instance, the loaded module was a Cobalt Strike Beacon, though this behavior was not consistent across all cases.
Despite years of deployment, BadAudio remains almost entirely undetected by security tools. Of the eight samples submitted to VirusTotal, only two were reliably flagged as malicious; the rest were detected by only a handful of engines, underscoring the tool’s sophistication and stealth. Google’s team emphasizes that the evolution of APT24’s methods reflects the group’s readiness for long-term, adaptive campaigns focused on reconnaissance and data collection.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
