Redazione RHC : 24 November 2025 12:12
Researchers at the Google Threat Intelligence Group (GTIG) have uncovered details of an espionage campaign conducted by the Chinese group APT24. This activity has been ongoing for approximately three years, and the hackers are using the previously undocumented BadAudio malware in their attacks.
APT24 (also known as Pitty Tiger) attacks government agencies , as well as organizations in the healthcare, construction and engineering, mining, non-profit, and telecommunications sectors in the United States and Taiwan. According to Google, the group specializes in the theft of intellectual property, particularly information that makes organizations competitive in their industries.
According to experts, since 2022, the malware has been spread to victims through various methods, including spear phishing, supply chain compromise, and watering-hole attacks.
From November 2022 to September 2025, APT24 compromised more than 20 legitimate websites across various domains by injecting malicious JavaScript. The script fingerprinted visitors (Windows systems only) and displayed a fake pop-up window informing victims of the need to update their software (in reality, the window downloaded the BadAudio malware).
The researchers also write that since July 2024, attackers have repeatedly hacked an unnamed Taiwanese marketing company that provides JavaScript libraries to its clients. The attackers injected malicious code into a widely used library and registered a domain name disguised as a legitimate CDN. This combination allowed the attackers to compromise over 1,000 domains.
From late 2024 to July 2025, APT24 attacked the same Taiwanese company again, but this time the attackers injected obfuscated JavaScript code into a modified JSON file. Once executed, the script collected information about website visitors and sent a base64 report to the command and control server.
Alongside this activity, starting in August 2024, the group launched spear-phishing attacks by sending emails. In these messages, the hackers posed as animal rescue organizations. APT24’s emails contained hidden tracking pixels, which helped confirm that the recipient had opened the message.
Researchers report that some attacks used Google Drive and OneDrive (rather than the hackers’ own servers) to collect data, though such abuses were often blocked. They also note that in at least one case, a Cobalt Strike beacon was distributed via BadAudio.
The BadAudio malware is a heavily obfuscated downloader that uses a DLL lookup technique that allows legitimate applications to download the malicious payload.
The malware also uses a sophisticated obfuscation technique that breaks linear code into discrete blocks controlled by a central ” dispatcher .” This complicates both automatic and manual analysis.
Once launched, BadAudio collects basic system data (hostname, username, architecture information), encrypts it with a hardened AES key , and transmits it to the attackers’ server. The encrypted payload is then downloaded and, after decryption, executed in memory via DLL sideloading.
Experts note that of the eight BadAudio samples detected, only two are recognized by over 25 antivirus solutions listed on VirusTotal. The remaining samples (created on December 7, 2022) are detected by up to five security solutions.
Redazione