APT24 treats 𝐁𝐚𝐝𝐀𝐮𝐝𝐢𝐨 as the front door to a patient, multi-year espionage operation. The group runs this custom C++ downloader as a first stage, then layers it behind watering-hole compromises, supply-chain abuse and targeted phishing runs that all point at Windows systems. Instead of relying on noisy exploits, APT24 leans on obfuscated DLL sideloading, encrypted command-and-control and careful victim fingerprinting, which keeps BadAudio quietly embedded in networks while the campaign evolves in the background.
𝐁𝐚𝐝𝐀𝐮𝐝𝐢𝐨 𝐚𝐬 𝐚 𝐟𝐢𝐫𝐬𝐭-𝐬𝐭𝐚𝐠𝐞 𝐝𝐨𝐰𝐧𝐥𝐨𝐚𝐝𝐞𝐫
BadAudio does not try to solve every problem. Instead, it focuses on providing reliable initial access and payload delivery. The loader arrives as a malicious DLL that a legitimate application accidentally loads because of DLL search-order hijacking. As soon as that happens, BadAudio collects basic host data such as hostname, username and architecture, then encrypts this profile with a hard-coded AES key. Rather than sending those details in cleartext, it hides them inside an HTTP cookie field when it reaches out to its command-and-control endpoint.
After the beacon leaves the host, the C2 responds with an encrypted payload that BadAudio decrypts with the same key and executes in memory. In at least one observed case, that payload takes the form of a Cobalt Strike Beacon with a watermark already tied to previous activity from the same threat actor, which makes the toolchain easier to track once analysts link the pieces. However, BadAudio does not lock itself to any specific second-stage, so operators can swap payloads as their objectives change.
𝐎𝐛𝐟𝐮𝐬𝐜𝐚𝐭𝐢𝐨𝐧 𝐚𝐧𝐝 𝐚𝐧𝐚𝐥𝐲𝐬𝐢𝐬 𝐫𝐞𝐬𝐢𝐬𝐭𝐚𝐧𝐜𝐞
The loader keeps reverse-engineers busy. Analysts describe heavy control-flow flattening that replaces natural logic with dispatcher loops and state variables. Instead of clean branches and functions, researchers see a maze of loosely connected blocks that require manual reconstruction. BadAudio also leans on custom string decoding and decoy instructions, which trip up basic disassemblers and automated tooling. Because of this, some samples remain under-detected years after compilation, with only a small minority of antivirus engines flagging them as malicious even after public reporting.
This resistance to analysis gives APT24 room to experiment. The group can adjust delivery paths or second-stage payloads without worrying that each tweak instantly lands in signatures. As defenders know, a loader that stays just below broad detection thresholds tends to deliver more value over time than a flashy exploit that triggers every alert rule in the stack.
𝐅𝐨𝐜𝐮𝐬 𝐨𝐧 𝐖𝐢𝐧𝐝𝐨𝐰𝐬 𝐭𝐚𝐫𝐠𝐞𝐭𝐬 𝐚𝐧𝐝 𝐯𝐢𝐜𝐭𝐢𝐦 𝐬𝐞𝐥𝐞𝐜𝐭𝐢𝐨𝐧
BadAudio’s operators care about the right victims, not the largest possible volume. In their early watering-hole work, they injected malicious JavaScript into more than twenty legitimate websites that covered everything from industrial topics to recreational interests. The script checked user-agent strings and filtered out macOS, iOS, Android and specific browser variants so that only Windows hosts proceeded down the chain. Then, the code loaded FingerprintJS and built a browser fingerprint, which it sent back to attacker-controlled infrastructure.
Only visitors who matched the group’s criteria saw a fake update prompt that impersonated a browser update or similar security-themed notification. Those users then downloaded the BadAudio package and unknowingly handed APT24 an initial foothold. This focus on filtering and fingerprinting reduced noise and helped the actor stretch infrastructure and tooling across a three-year window.
𝐒𝐮𝐩𝐩𝐥𝐲-𝐜𝐡𝐚𝐢𝐧 𝐞𝐱𝐩𝐚𝐧𝐬𝐢𝐨𝐧 𝐭𝐡𝐫𝐨𝐮𝐠𝐡 𝐚 𝐓𝐚𝐢𝐰𝐚𝐧𝐞𝐬𝐞 𝐦𝐚𝐫𝐤𝐞𝐭𝐢𝐧𝐠 𝐩𝐫𝐨𝐯𝐢𝐝𝐞𝐫
APT24 did not stop at individual watering-hole sites. In mid-2024, the group repeatedly compromised a digital marketing company in Taiwan that provided JavaScript libraries to hundreds of customer websites. Instead of breaking into each downstream site separately, the operators injected their own code into one widely used library and registered a fake domain that resembled a legitimate CDN provider. When client sites loaded that library, the injected script reached their visitors automatically. According to public reporting, this move exposed more than a thousand websites to BadAudio delivery without any direct compromise on those sites themselves.
This supply-chain pivot significantly increased reach while keeping operational effort manageable. Rather than juggling dozens of one-off watering holes, APT24 leveraged a single upstream provider to reach a broad audience and then applied the same Windows-focused fingerprinting logic before serving BadAudio. That combination of targeted victim selection and scaled distribution marks the campaign as a mature espionage effort rather than an opportunistic smash-and-grab.
𝐏𝐢𝐯𝐨𝐭 𝐭𝐨 𝐬𝐩𝐞𝐚𝐫𝐩𝐡𝐢𝐬𝐡𝐢𝐧𝐠 𝐚𝐧𝐝 𝐜𝐥𝐨𝐮𝐝-𝐬𝐭𝐨𝐫𝐚𝐠𝐞 𝐥𝐮𝐫𝐞𝐬
As defenders improved visibility on compromised sites and supply-chain abuse, APT24 shifted again. Recent observations show the group layering 𝐭𝐚𝐫𝐠𝐞𝐭𝐞𝐝 𝐬𝐩𝐞𝐚𝐫𝐩𝐡𝐢𝐬𝐡𝐢𝐧𝐠 and links shared via popular cloud-storage platforms into the same overarching campaign. Instead of waiting for victims to browse to a compromised site, the operators now send tailored emails that point to archives or installers hosted on reputable services. Those containers hold BadAudio loaders and helper scripts that unpack the malware on victim hosts.
Because many organizations implicitly trust links to mainstream cloud providers, these lures often slip past basic filters and land directly in user inboxes. The archival format also lets the group embed multiple components legitimate decoy content, the malicious DLL and a launcher inside a single download. As a result, APT24 can reuse infrastructure and tooling while cycling through new email themes and document pretexts that align with each target’s sector.
𝐆𝐨𝐨𝐠𝐥𝐞’𝐬 𝐫𝐞𝐬𝐩𝐨𝐧𝐬𝐞 𝐚𝐧𝐝 𝐢𝐧𝐧𝐞𝐫-𝐥𝐨𝐨𝐩 𝐝𝐢𝐬𝐫𝐮𝐩𝐭𝐢𝐨𝐧
Google’s Threat Intelligence team has not treated BadAudio as just another IOC set. Once analysts tied the loader and infrastructure to APT24, they added identified domains, websites and files to 𝐒𝐚𝐟𝐞 𝐁𝐫𝐨𝐰𝐬𝐢𝐧𝐠 blocklists and initiated victim notifications with technical detail for affected site owners.
This response matters for two reasons. First, it raises the cost of infrastructure reuse for APT24, because each burned domain or file hash forces them to rotate assets. Second, it gives compromised website operators a clearer path to remediation instead of leaving them to discover the issue through vague user complaints or third-party scanners. Even so, the campaign’s three-year lifetime shows that accurate detection and broad coverage rarely arrive on day one, especially when an actor invests heavily in obfuscation and multi-vector delivery.
𝐃𝐞𝐟𝐞𝐧𝐬𝐢𝐯𝐞 𝐟𝐨𝐜𝐮𝐬: 𝐡𝐮𝐧𝐭𝐢𝐧𝐠 𝐟𝐨𝐫 𝐁𝐚𝐝𝐀𝐮𝐝𝐢𝐨 𝐚𝐧𝐝 𝐝𝐢𝐬𝐫𝐮𝐩𝐭𝐢𝐧𝐠 𝐭𝐡𝐞 𝐜𝐡𝐚𝐢𝐧
Security teams that track PRC-nexus activity should treat BadAudio as a high-value hunting target. Because the loader sends encrypted host profiles inside HTTP cookie headers, defenders can search proxy and web-gateway logs for suspicious cookies tied to known BadAudio domains or paths. They can also instrument EDR telemetry to look for DLL sideloading patterns where a legitimate executable suddenly loads an unusual library from a writable directory.
In addition, defenders can build detections around characteristic behaviors instead of exact hashes. For example, they can flag processes that decrypt AES-protected blobs and immediately allocate executable memory, or they can watch for outbound connections that follow a “fingerprint-then-payload” pattern to infrastructure recently added to threat-intel feeds. When organizations run internal YARA or similar scanners, they can incorporate BadAudio-specific rules from public research to sweep endpoints for dormant copies that never executed but still sit on disk.
Because APT24 clearly adapts delivery methods over time, network defenders should not anchor their entire strategy on a single vector such as watering holes. Instead, they should align controls across email, web, endpoint and identity, then peer into how those layers intersect around BadAudio-like activity.
𝐒𝐭𝐫𝐚𝐭𝐞𝐠𝐢𝐜 𝐥𝐞𝐬𝐬𝐨𝐧𝐬 𝐟𝐫𝐨𝐦 𝐭𝐡𝐞 𝐁𝐚𝐝𝐀𝐮𝐝𝐢𝐨 𝐜𝐚𝐦𝐩𝐚𝐢𝐠𝐧
From a strategic perspective, BadAudio illustrates several trends in modern espionage tradecraft. First, state-aligned actors now treat custom loaders as long-term investments, maintain them for years and apply heavy obfuscation so those assets stay productive. Second, delivery paths evolve continuously: a single campaign can move from watering holes to supply-chain compromises and finally to cloud-storage phishing, all while using the same core malware. Third, regional service providers such as marketing firms that host JavaScript libraries have become prime targets because they offer scaled access to downstream organizations that never interact directly with the attacker.
For defenders, that reality means traditional perimeter thinking no longer suffices. Organizations must extend their risk lens to include the third-party platforms that supply scripts, libraries and content to their websites, and they must track loader-style malware with the same intensity they reserve for flagship backdoors and implants.
𝐅𝐀𝐐𝐬
𝐐𝟏: 𝐖𝐡𝐚𝐭 𝐝𝐢𝐬𝐭𝐢𝐧𝐠𝐮𝐢𝐬𝐡𝐞𝐬 𝐁𝐚𝐝𝐀𝐮𝐝𝐢𝐨 𝐟𝐫𝐨𝐦 𝐨𝐭𝐡𝐞𝐫 𝐀𝐏𝐓 𝐥𝐨𝐚𝐝𝐞𝐫𝐬?
BadAudio combines several characteristics that make it stand out: heavy control-flow obfuscation, DLL search-order hijacking for execution, AES-encrypted C2 traffic and the use of HTTP cookies as a data channel. Many loaders implement one or two of these techniques; BadAudio uses all of them in a cohesive way and stays tied to a persistent, multi-year campaign rather than a short-lived intrusion set.
𝐐𝟐: 𝐃𝐨𝐞𝐬 𝐁𝐚𝐝𝐀𝐮𝐝𝐢𝐨 𝐢𝐭𝐬𝐞𝐥𝐟 𝐞𝐱𝐟𝐢𝐥𝐭𝐫𝐚𝐭𝐞 𝐝𝐚𝐭𝐚?
Public reporting describes BadAudio primarily as a downloader and first-stage access tool. It gathers limited host information to help the operator decide which payload to send next, but it does not appear to handle extensive data theft on its own. Instead, it typically delivers frameworks like Cobalt Strike Beacon or other implants that manage lateral movement, credential theft and exfiltration.
𝐐𝟑: 𝐖𝐡𝐢𝐜𝐡 𝐬𝐞𝐜𝐭𝐨𝐫𝐬 𝐬𝐡𝐨𝐮𝐥𝐝 𝐩𝐫𝐢𝐨𝐫𝐢𝐭𝐢𝐳𝐞 𝐝𝐞𝐭𝐞𝐜𝐭𝐢𝐨𝐧 𝐞𝐟𝐟𝐨𝐫𝐭𝐬 𝐚𝐠𝐚𝐢𝐧𝐬𝐭 𝐁𝐚𝐝𝐀𝐮𝐝𝐢𝐨?
Google and other researchers have not restricted APT24’s targeting to a single vertical. However, the campaign’s focus on strategic web compromises, regional service providers and tailored phishing suggests that government entities, technology firms, defense-adjacent organizations and companies operating in East Asia sit especially high in the risk profile. Any Windows-heavy environment that depends on third-party web content distribution should treat BadAudio hunting as a priority.
𝐐𝟒: 𝐖𝐡𝐚𝐭 𝐢𝐬 𝐭𝐡𝐞 𝐬𝐢𝐧𝐠𝐥𝐞 𝐦𝐨𝐬𝐭 𝐞𝐟𝐟𝐞𝐜𝐭𝐢𝐯𝐞 𝐝𝐞𝐟𝐞𝐧𝐬𝐢𝐯𝐞 𝐬𝐭𝐞𝐩 𝐚𝐠𝐚𝐢𝐧𝐬𝐭 𝐁𝐚𝐝𝐀𝐮𝐝𝐢𝐨-𝐬𝐭𝐲𝐥𝐞 𝐥𝐨𝐚𝐝𝐞𝐫𝐬?
There is no silver bullet; however, strengthening detection and response around DLL sideloading and unusual child processes from trusted applications often yields the highest return. When combined with robust web-filtering that consumes Safe Browsing-style threat intelligence and disciplined patching on internet-facing sites, this approach cuts off both delivery paths and post-execution maneuvering for BadAudio and similar loaders.
One thought on “How APT24 Uses BadAudio Malware in Multi-Vector Espionage”