Executive Summary

Google Threat Intelligence Group (GTIG) has uncovered a long-running cyberespionage campaign, active since at least November 2022, conducted by the China-linked threat actor APT24 (also known as Pitty Tiger). The campaign's primary objective is intelligence gathering, with a strong focus on targets in Taiwan. A key component of this operation is a previously undocumented custom malware downloader named BadAudio. This malware is a highly obfuscated first-stage payload designed to establish a foothold on victim systems before delivering more powerful tools like Cobalt Strike. APT24 has demonstrated significant operational evolution, shifting from broad watering hole attacks to more targeted supply chain compromises and spear-phishing, indicating a persistent and sophisticated adversary focused on long-term intelligence collection.

Threat Overview

APT24 is a state-sponsored threat group with a history of targeting organizations for intellectual property theft, active since at least 2008. This latest campaign showcases their continued investment in custom tooling and adaptive tactics. The operation has progressed through several phases:

• Initial Phase (Nov 2022 onwards): The group compromised over 20 legitimate websites, injecting malicious JavaScript to perform visitor fingerprinting. Select Windows users were then served fake software update pop-ups, tricking them into downloading the BadAudio malware.
• Supply Chain Attack (July 2024): APT24 escalated its tactics by compromising a Taiwanese digital marketing firm. This allowed them to potentially infect over 1,000 downstream domains that utilized the firm's scripts, significantly broadening their reach.
• Spear-Phishing (Aug 2024 onwards): The group adopted more targeted spear-phishing emails, using lures related to animal rescue organizations. These emails contained links to encrypted archives hosted on legitimate cloud services like Google Drive and Microsoft OneDrive, which contained the BadAudio payload.

Technical Analysis

BadAudio Malware

BadAudio is a first-stage downloader written in C++ and serves as the initial entry point into a victim's network. Its primary features are geared towards stealth and evasion:

• Delivery and Execution: It is typically delivered as a malicious DLL file. It gains execution through T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking, where a legitimate application is tricked into loading the malicious DLL instead of a legitimate one.
• Obfuscation: The malware employs control flow flattening, a sophisticated obfuscation technique that obscures the program's logic, making static analysis and reverse engineering extremely difficult.
• C2 Communication: Upon execution, BadAudio gathers basic system information (e.g., hostname, OS version). This data is encrypted using a hard-coded AES key and sent to a command-and-control (C2) server within an HTTP cookie.
• Payload Deployment: The C2 server responds with a second-stage payload, such as a Cobalt Strike Beacon. This payload is encrypted with the same AES key, decrypted by BadAudio, and then executed directly in memory. This fileless execution helps evade detection by traditional antivirus software.

MITRE ATT&CK Techniques

• T1199 - Trusted Relationship: Exploited by compromising a digital marketing firm to attack its customers (supply chain attack).
• T1189 - Drive-by Compromise: Used in the initial phase by compromising legitimate websites (watering hole).
• T1566.002 - Phishing: Spearphishing Link: Employed to deliver malicious archives via email.
• T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking: The primary execution vector for the BadAudio DLL.
• T1027 - Obfuscated Files or Information: Utilized control flow flattening to hinder analysis.
• T1071.001 - Application Layer Protocol: Web Protocols: Used HTTP for C2 communications.
• T1573.001 - Encrypted Channel: Symmetric Cryptography: Used AES to encrypt C2 traffic.
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell: Likely used by the second-stage payload (Cobalt Strike) for execution.

Impact Assessment

The campaign's primary goal is cyberespionage. By targeting sectors like government, healthcare, telecommunications, and construction, APT24 seeks to steal valuable intellectual property, government secrets, and other sensitive data that align with the strategic interests of the Chinese state. The compromise of a digital marketing firm represents a significant supply chain risk, exposing a large number of downstream organizations to infection. For targeted organizations in Taiwan, this long-term, persistent intrusion could lead to a substantial loss of sensitive national and commercial information.

IOCs

No specific file hashes or C2 domains were provided in the source articles.

Cyber Observables for Detection

Detection & Response

Detecting BadAudio requires a defense-in-depth strategy that combines network and endpoint monitoring.

1. Endpoint Detection (EDR): An EDR solution is critical for detecting techniques like DLL search-order hijacking. Configure EDR to alert on legitimate processes loading unsigned or newly created DLLs. Memory scanning can also detect the in-memory execution of payloads like Cobalt Strike. This is an application of D3-PA: Process Analysis.

2. Network Monitoring: Analyze outbound HTTP traffic for anomalies. Since BadAudio uses cookies for C2, look for POST requests with unusually large or encrypted cookie values. Decrypting SSL/TLS traffic is essential for this analysis. This aligns with D3-NTA: Network Traffic Analysis.

3. Threat Hunting: Proactively hunt for signs of DLL hijacking. Query systems for applications that have DLLs with the same name in both the application directory and a system directory (e.g., System32), as this is a common condition for hijacking.

Mitigation

Defending against a sophisticated actor like APT24 requires robust security hygiene and advanced controls.

• Application Control: Implement application control solutions, such as Windows Defender Application Control, to restrict the execution of unauthorized DLLs. This directly counters DLL hijacking and is a form of D3-EAL: Executable Allowlisting.
• Attack Surface Reduction (ASR): Enable ASR rules on Windows endpoints, particularly rules that block processes created by Office macros, script execution, and untrusted executables.
• User Training: Train users to be suspicious of unsolicited software update pop-ups and to only download software from official sources. This helps mitigate the watering hole and phishing vectors.
• Supply Chain Security: For organizations using third-party scripts or services on their websites, implement Subresource Integrity (SRI) to ensure that the scripts have not been tampered with. This is a specific form of D3-ACH: Application Configuration Hardening.