A China-linked hacking group known as APT24 has been using a previously unknown malware called BadAudio in a spying campaign that has been running for almost three years.
The group recently shifted to even more advanced attack methods, making the campaign harder to detect.
Since 2022, APT24 has used several techniques to deliver the malware, including spearphishing emails, supply chain compromises, and watering hole attacks. Between late 2022 and September 2025, the hackers secretly compromised more than twenty real public websites across different industries. They injected malicious JavaScript into these sites so they could identify visitors who were targets, focusing only on Windows systems. When a selected user visited one of the compromised websites, the script displayed a fake software update pop-up designed to trick them into downloading the BadAudio malware.
In mid-2024, the attackers repeatedly breached a digital marketing company in Taiwan that provides JavaScript libraries for many client websites. By injecting their own code into one of the company’s widely used libraries and by registering a fake domain that looked like a real CDN provider, they were able to infect more than a thousand websites.
Later, from late 2024 to mid 2025, they continued targeting the same company, this time hiding their malicious code inside a modified JSON file used by one of the firm’s JavaScript files. Each time this code ran, it collected information about the website visitor and sent a base64 encoded report to the attackers, who then decided whether to send back the next stage of the attack.
Around the same time, APT24 was also sending spearphishing emails that pretended to come from animal rescue organizations. In some cases, the hackers used trusted cloud services like Google Drive or OneDrive to host the malware instead of their own servers. While many of these messages were caught by spam filters, the attackers added tracking pixels so they could see when a recipient opened the email.
Google’s threat analysis team examined the malware and found that BadAudio is heavily obfuscated to make it difficult for security tools and researchers to analyze. The malware runs using DLL search order hijacking, which tricks a legitimate application into loading a malicious file. Its code structure is flattened so that the program’s normal flow is scrambled into separate blocks controlled by a dispatcher, making it much harder to understand or reverse engineer.
Once BadAudio runs on a device, it collects basic information such as the hostname, username, and system architecture. It encrypts this data using a built-in AES key and sends it to a command and control server. The malware then downloads another encrypted payload, decrypts it, and runs it directly in memory using DLL sideloading to avoid detection. In at least one case, the attackers used this method to deploy Cobalt Strike Beacon, a powerful tool often abused in cyberattacks. However, researchers could not confirm whether every attack used the same payload.
Even though the group has used BadAudio for several years, it remained largely unnoticed. Out of eight samples shared in Google’s report, only two are flagged as malicious by more than twenty-five antivirus tools. The rest, including samples created in December 2022, are detected by five or fewer products, showing how well the malware avoided detection.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Google’s researchers say the evolution of APT24’s methods shows how skilled and persistent the group has become. Their ability to adapt, compromise supply chains, and run long-term espionage operations highlights the growing sophistication of state-backed cyber threats.
