Cybersecurity

Apt24 Deploys Badaudio In Years-long Espionage Hitting Taiwan And...

2025-11-21 0 views admin
Apt24 Deploys Badaudio In Years-long Espionage Hitting Taiwan And...

A China-nexus threat actor known as APT24 has been observed using a previously undocumented malware dubbed BADAUDIO to establish persistent remote access to compromised networks as part of a nearly three-year campaign.

"While earlier operations relied on broad strategic web compromises to compromise legitimate websites, APT24 has recently pivoted to using more sophisticated vectors targeting organizations in Taiwan," Google Threat Intelligence Group (GTIG) researchers Harsh Parashar, Tierra Duncan, and Dan Perez said.

"This includes the repeated compromise of a regional digital marketing firm to execute supply chain attacks and the use of targeted phishing campaigns."

APT24, also called Pitty Tiger, is the moniker assigned to a suspected Chinese hacking group that has targeted government, healthcare, construction and engineering, mining, nonprofit, and telecommunications sectors in the U.S. and Taiwan.

According to a July 2014 report from FireEye, the adversary is believed to be active as early as 2008, with the attacks leveraging phishing emails to trick recipients into opening Microsoft Office documents that, in turn, exploit known security flaws in the software (e.g., CVE-2012-0158 and CVE-2014-1761) to infect systems with malware.

Some of the malware families associated with APT24 include CT RAT, a variant of Enfal/Lurid Downloader called MM RAT (aka Goldsun-B), and variants of Gh0st RAT known as Paladin RAT and Leo RAT. Another notable malware put to use by the threat actor is a backdoor named Taidoor (aka Roudan).

APT24 is assessed to be closely related to another advanced persistent threat (APT) group called Earth Aughisky, which has also deployed Taidoor in its campaigns and has leveraged infrastructure previously attributed to APT24 as part of attacks distributing another backdoor referred to as Specas.

Both the malware strains, per an October 2022 report from Trend Micro, are designed to read proxy settings from a specific file "%systemroot%\\system32\\sprxx.dll."

The latest findings from GTIG show that the BADAUDIO campaign has been underway since November 2022, with the attackers using watering holes, supply chain compromises, and spear-phishing as initial access vectors.

A highly obfuscated malware written in C++, BADAUDIO uses control flow flattening to resist reverse engineering and acts as a first-stage downloader that's capable of downloading, decrypting, and executing an AES-encrypted payload from a hard-coded command and control

CVE Details

Affected Product: Google Threat

🏷️ Tags

securityhackcvemalwareattack

More from Cybersecurity

Update: Attackers Exploit Zero-day In End-of-life D-link Routers 2026

Update: Attackers Exploit Zero-day In End-of-life D-link Routers 2026

2026-01-07 0
Critical Jspdf Flaw Lets Hackers Steal Secrets Via Generated Pdfs - Complete Guide

Critical Jspdf Flaw Lets Hackers Steal Secrets Via Generated Pdfs - Complete Guide

2026-01-07 0
Phishers Exploit Office 365 Users Who Let Their Guard Down 2026 - Analysis

Phishers Exploit Office 365 Users Who Let Their Guard Down 2026 - Analysis

2026-01-07 0
Breaking: Logitech Options+, G Hub Macos Apps Break After Certificate Expires

Breaking: Logitech Options+, G Hub Macos Apps Break After Certificate Expires

2026-01-07 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views