Key Findings

• China-nexus threat actor APT24 (also called Pitty Tiger) has been using a previously undocumented malware called BADAUDIO in a nearly 3-year espionage campaign.

• The campaign has targeted organizations in Taiwan, leveraging tactics like strategic website compromises, supply chain attacks, and targeted phishing.

• BADAUDIO is a highly obfuscated C++ malware that serves as a first-stage downloader, capable of fetching and executing encrypted payloads from command-and-control servers.

• From November 2022 to at least September 2025, APT24 is estimated to have compromised over 20 legitimate websites to deliver BADAUDIO via fake Chrome update prompts.

• In a supply chain attack starting in July 2024, the group breached a Taiwanese digital marketing firm to inject malicious JavaScript into a widely used library, affecting over 1,000 domains.

• Targeted phishing campaigns using lures related to an animal rescue organization have also been employed to deliver BADAUDIO via encrypted archives.

Background

APT24, also known as Pitty Tiger, is a suspected Chinese hacking group that has targeted various sectors, including government, healthcare, construction, engineering, mining, nonprofit, and telecommunications, primarily in the U.S. and Taiwan. The group has been active since as early as 2008, using tactics like phishing emails and exploiting vulnerabilities in Microsoft Office to infect systems.

Some of the malware families associated with APT24 include CT RAT, Enfal/Lurid Downloader (MM RAT), and variants of Gh0st RAT (Paladin RAT and Leo RAT). The group has also used a backdoor known as Taidoor (or Roudan) in its campaigns, which is closely linked to another APT group called Earth Aughisky.

Strategic Website Compromises

From November 2022 to at least early September 2025, APT24 is estimated to have compromised over 20 legitimate websites to deliver the BADAUDIO malware. The group's approach involves injecting malicious JavaScript code that excludes visitors from macOS, iOS, and Android, generates a unique browser fingerprint, and serves a fake Google Chrome update prompt to download BADAUDIO.

Supply Chain Attack

In July 2024, APT24 breached a regional digital marketing firm in Taiwan, allowing the group to inject malicious JavaScript into a widely used library distributed by the company. This supply chain compromise affected over 1,000 domains, with the modified script reaching out to a typosquatted domain impersonating a legitimate CDN to fetch the attacker-controlled JavaScript and deliver BADAUDIO.

Targeted Phishing

Since August 2024, APT24 has been conducting targeted phishing campaigns using lures related to an animal rescue organization to trick recipients into opening encrypted archives hosted on Google Drive and Microsoft OneDrive, which deliver the BADAUDIO malware.

Sources

• https://thehackernews.com/2025/11/apt24-deploys-badaudio-in-years-long.html

• https://www.cypro.se/2025/11/21/apt24-deploys-badaudio-in-years-long-espionage-hitting-taiwan-and-1000-domains/

• https://x.com/TheCyberSecHub/status/1991842854491328660

• https://techjacksolutions.com/apt24-deploys-badaudio-in-years-long-espionage-hitting-taiwan-and-1000-domainsthe-hacker-newsinfothehackernews-com-the-hacker-news/