Key Findings

• China-linked APT24 group used supply-chain attacks and multiple techniques over three years to deploy the BadAudio downloader and additional malware payloads

• The group shifted from broad web compromises to more advanced techniques targeting Taiwan, including repeated supply-chain attacks through a compromised marketing firm and spear-phishing attacks

• BadAudio is a custom C++ first-stage downloader that pulls an AES-encrypted payload from a fixed C2 server and runs it directly in memory

• The malware uses heavy control-flow flattening and relies on DLL search-order hijacking to evade detection

Background

APT24 has spent three years refining how it delivers the BadAudio malware, shifting from broad strategic web compromises to more focused supply-chain attacks and spear-phishing. The group's early campaigns injected malicious JavaScript into over 20 legitimate sites, fingerprinted visitors, and pushed fake update pop-ups to infect selected Windows targets.

Supply Chain Attacks

In 2024, APT24 escalated by compromising a Taiwanese digital marketing firm, repeatedly reinfecting it and exposing more than 1,000 domains. The attackers hid malicious code inside modified JS and JSON files, used advanced fingerprinting, exfiltrated reconnaissance data, and dynamically served BadAudio based on C2 logic.

Malware Capabilities

BadAudio works as a custom C++ first-stage downloader that pulls an AES-encrypted payload from a fixed C2 server and runs it directly in memory. It gathers simple host details and hides them inside a cookie value during the request for the next-stage payload, which has been identified as Cobalt Strike Beacon in some cases.

Evasion Techniques

The malware uses heavy control-flow flattening to break its natural logic and slow down analysts. It usually arrives as a malicious DLL and relies on DLL search-order hijacking through legitimate executables. Recent versions ship inside encrypted archives with BAT, VBS, and LNK files that place the DLL, set persistence, and trigger sideloading.

Conclusion

This nearly three-year campaign is a clear example of the continued evolution of APT24's operational capabilities and highlights the sophistication of PRC-nexus threat actors. The use of advanced techniques like supply chain compromise, multi-layered social engineering, and the abuse of legitimate cloud services demonstrates the actor's capacity for persistent and adaptive espionage.

Sources

• https://securityaffairs.com/184941/apt/badaudio-malware-how-apt24-scaled-its-cyberespionage-through-supply-chain-attacks.html

• https://x.com/shah_sheikh/status/1992286516664582272

• https://x.com/securityaffairs/status/1992280405320564904

• https://x.com/hackplayers/status/1992286982718755281