• Beyond the Watering Hole: APT24’s Pivot to Multi-Vector Attacks Google Threat Intelligence Group Google Threat Intelligence Visibility and context on the threats that matter most. • Contact Us & Get a DemoWritten by: Harsh Parashar, Tierra Duncan, Dan Perez Google Threat Intelligence Group (GTIG) is tracking a long-running and adaptive cyber espionage campaign by APT24, a People’s Republic of China (PRC)-nexus threat actor. • Spanning three years, APT24 has been deploying BADAUDIO, a highly obfuscated first-stage downloader used to establish persistent access to victim networks. • While earlier operations relied on broad strategic web compromises to compromise legitimate websites, APT24 has recently pivoted to using more sophisticated vectors targeting organizations in Taiwan. • This includes the repeated compromise of a regional digital marketing firm to execute supply chain attacks and the use of targeted phishing campaigns. • This report provides a technical analysis of the BADAUDIO malware, details the evolution of APT24’s delivery mechanisms from 2022 to present, and offers actionable intelligence to help defenders detect and mitigate this persistent threat.
Article Summaries:
- Google Threat Intelligence Group (GTIG) reports that China‑linked APT24 has shifted from broad watering‑hole attacks to a multi‑vector campaign targeting Taiwanese organizations. Over three years, the group has used the heavily obfuscated BADAUDIO downloader to gain persistence, now coupling it with supply‑chain compromises of a regional digital‑marketing firm and targeted phishing. BADAUDIO downloads an AES‑encrypted payload-often a Cobalt Strike Beacon-executed in memory. GTIG’s analysis highlights advanced control‑flow flattening that hinders reverse engineering, and the team has added affected sites to Safe Browsing blocklists and notified victims to mitigate the threat.
Sources: