You are currently viewing APT24’s BADAUDIO: A Deep Dive into China-Nexus Espionage Against Taiwan

APT24’s BADAUDIO: A Deep Dive into China-Nexus Espionage Against Taiwan

A China-nexus threat actor has been conducting a sophisticated, multi-year espionage campaign using a custom malware downloader, compromising regional infrastructure and reaching over 1,000 global domains through strategic supply chain attacks. At the core of this operation is BADAUDIO, a highly obfuscated C++ first-stage downloader that employs advanced techniques like DLL search order hijacking and encrypted payload delivery to establish persistent remote access while evading detection.

Executive Summary

The APT24 espionage campaign, active since November 2022, leverages a previously undocumented, highly obfuscated malware variant called BADAUDIO, which serves as a first-stage downloader designed to establish persistent remote access and conduct reconnaissance within victim networks.

BADAUDIO is a sophisticated C++ malware that employs advanced evasion techniques to evade detection and analysis. The malware utilizes heavy control-flow flattening to complicate reverse engineering efforts and obscure its true logic from security researchers. Upon execution, the malware collects basic host information—including hostname, username, and system architecture—encrypts this data using a hard-coded AES key, and exfiltrates it via cookie parameters in C2 requests. In response, the attacker-controlled server delivers an AES-encrypted payload that is decrypted and executed in memory, a technique that minimizes forensic artifacts.

Historical Context – Associated CVEs:
While the current BADAUDIO campaign does not exploit specific CVEs, APT24 has historically leveraged Microsoft Office vulnerabilities in earlier operations, including CVE-2012-0158 and CVE-2014-1761, which were exploited through phishing emails containing malicious Office documents. These represent the group’s evolution from traditional vulnerability exploitation to modern supply chain and social engineering vectors.

Attack Methodology

The BADAUDIO campaign has targeted organizations across multiple sectors in Taiwan and the United States, particularly healthcare, construction, mining, non-profits, and telecommunications.?

Supply Chain Compromise:
Starting in July 2024, APT24 repeatedly compromised a Taiwanese digital marketing firm, injecting malicious code into third-party JavaScript and JSON libraries. This single compromise affected over 1,000 domains relying on the firm’s scripts. The modified scripts included obfuscated JavaScript that fingerprinted visitors and determined whether to serve the BADAUDIO download pop-up.?

Watering Hole Attacks:
APT24 compromised 20+ legitimate public websites to inject malicious JavaScript payloads delivering BADAUDIO. These websites targeted organizations of strategic interest to China. The injected code used FingerprintJS to fingerprint browsers and presented fake Google Chrome update pop-ups to trick users into downloading BADAUDIO.?

Phishing with Cloud Services:
Beginning in August 2024, APT24 launched spear-phishing campaigns impersonating animal rescue organizations, hosting malicious payloads on Google Drive and Microsoft OneDrive. Emails included tracking pixels to confirm recipient opens, enabling tailored follow-up attacks.

Exploited Vulnerabilities

CVE IDImpactExploit PrerequisitesCVSS Score
CVE-2012-0158Remote code execution via crafted Office documentsUser opens malicious Microsoft Office attachment8.8
CVE-2014-1761Remote code execution through malformed Office file handlingUser opens crafted Microsoft Word document7.8

Mitigation & Remediation

Given the active BADAUDIO exploitation, immediate mitigation is critical:

  • Remove BADAUDIO DLLs and associated VBS, BAT, and LNK files from user and startup directories.
  • Audit and replace compromised supply chain scripts and libraries from affected vendors.
  • Immediately rotate all developer credentials, API keys, and cloud tokens to prevent further misuse.
  • Block known APT24 command-and-control domains using network-based threat intelligence.
  • Apply system hardening by enabling DLL Search Order Hijacking mitigations and restricting execution of fake update pop-ups through browser policies.

Capabilities

First-stage downloader that retrieves, decrypts, and executes AES-encrypted payloads (including Cobalt Strike).

Highly obfuscated C++ malware using control-flow flattening to resist reverse engineering.

DLL Search Order Hijacking execution, enabling stealthy persistence via legitimate applications.

System reconnaissance and browser fingerprinting, followed by targeted delivery of fake Chrome update installers.

Visual Flow

For the APT24 campaign, the visual flow can be detailed as follows:

  • Initial Access -> Exploitation of outdated firmware and n-day vulnerabilities (e.g., in networking and application layers).
  • Stealth payload delivery via AiCloud and web interface abuse, including SSH backdoor installation and certificate spoofing.
  • Execution & Persistence with root access, command injection without UI changes, SSH persistence, and TLS certificate replacement valid for 100 years.
  • Command & Control leveraging proxy routing via hijacked routers, using shared TLS certificates and overlapping compromised IPs with related campaigns such as AyySSHush.
  • Impact encompassing espionage infrastructure setup, covert C2 proxying, data exfiltration, and regionally targeted operations focused on Taiwan, Southeast Asia, and the U.S.

Indicators of Compromise

The BADAUDIO campaign exposes several host, network, and email indicators that organizations can use to detect potential compromise:

Host-Based IOCs

  • Malicious C++ DLL delivered via DLL Search Order Hijacking.
  • Encrypted ZIP/RAR archives containing DLL + VBS/BAT/LNK files.
  • First-stage malware contacting C2 to fetch AES-encrypted payloads (e.g., Cobalt Strike).
  • Suspicious file access to:
    %systemroot%\system32\sprxx.dll (associated with APT24-linked malware families).

Network IOCs

  • Requests to typosquatted CDN domains serving fake Chrome update pop-ups.
  • JavaScript performing browser fingerprinting using FingerprintJS.
  • Modified third-party JS library making unexpected outbound calls.
  • Fake Google Chrome update downloads delivered via watering-hole websites.

Email / Social Engineering IOCs

  • Spear-phishing emails themed around animal rescue organizations.
  • Payloads delivered via Google Drive / OneDrive encrypted archives.
  • Messages containing tracking pixels to confirm email opens.

These indicators collectively reflect APT24’s multi-layered approach—leveraging supply chain compromise, strategic web access, and targeted phishing—to deliver BADAUDIO and maintain persistent access.

Tactics and Techniques include:

Attackers are exploiting the trust model of package management to execute arbitrary code in developer and CI pipelines.

  • TA0001 – Initial Access: Attackers gain initial entry through targeted spear-phishing with malicious attachments and strategic web compromises including watering holes.
  • T1190 – Exploit Public-Facing Application: Exploitation of vulnerabilities in widely used software components to remotely execute code.
  • TA0002 – Execution: Execution of malicious payloads via DLL Search Order Hijacking and scripting interpreters following successful exploitation.
  • T1059 – Command and Scripting Interpreter: Use of VBS, BAT, and LNK scripts to automate malware installation, persistence, and execution.
  • TA0003 – Persistence: Establishment of persistence via startup folder DLL sideloading, script-based execution automation, and abuse of legitimate applications.
  • T1574.001 – DLL Search Order Hijacking: Leveraging system DLL loading order to execute malicious DLLs under the guise of legitimate processes.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.