Beyond the Watering Hole — APT24 Shifts to Multi-Vector Espionage Attacks

TL;DR

Google's Threat Intelligence Group is tracking a three-year campaign by APT24, a PRC-nexus actor, that uses a custom, heavily obfuscated downloader called BADAUDIO to gain persistent access to networks. The group has moved from opportunistic website compromises to targeted supply-chain intrusions and spear-phishing, including repeated compromises of a Taiwanese marketing firm.

What happened

GTIG analyzed a sustained espionage operation by APT24 that has used a custom C++ first-stage downloader named BADAUDIO to establish footholds. BADAUDIO typically appears as a malicious DLL and uses DLL search order hijacking and encrypted archives with supporting VBS, BAT and LNK files to place and sideload the DLL via legitimate executables. The loader collects simple host details, hashes them, and embeds the result in an HTTP cookie while requesting an AES-encrypted payload from hard-coded command-and-control servers; that payload has, in at least one observed case, been a Cobalt Strike Beacon. The malware employs advanced obfuscation, including control flow flattening, to frustrate analysis. Delivery methods have evolved since 2022: early operations relied on broad strategic web compromises that used fingerprinting and fake update dialogs to trick Windows visitors, while later activity included a July 2024 supply-chain compromise of a Taiwan digital marketing firm that affected over 1,000 domains and repeated re-compromises, plus targeted phishing campaigns. GTIG added identified infrastructure to Safe Browsing blocklists and notified victims.

Why it matters

• Supply-chain intrusions can scale compromises widely and persist when the supplier is repeatedly re-compromised.
• Sophisticated obfuscation and in-memory execution make detection and reverse engineering more difficult for defenders.
• Use of legitimate application sideloading and encrypted payloads can reduce obvious forensic indicators on infected hosts.
• Targeting that shifted toward organizations in Taiwan indicates selective, regional focus rather than purely opportunistic infections.

Key facts

• Campaign tracked over three years by Google Threat Intelligence Group.
• Threat actor identified as APT24 and described as PRC-nexus.
• BADAUDIO is a custom C++ first-stage downloader that retrieves AES-encrypted payloads from hard-coded C2 servers.
• BADAUDIO uses control flow flattening to heavily obfuscate its code and impede analysis.
• Typical execution chain leverages DLL search order hijacking (sideloading) and encrypted archives with VBS, BAT, and LNK helpers.
• The loader collects hostname, username, and architecture, hashes that data, and places it in a cookie parameter when beaconing.
• At least one observed payload decrypted by BADAUDIO was a Cobalt Strike Beacon carrying a watermark previously linked to APT24.
• Delivery mechanisms evolved from broad strategic web compromises using fingerprinting JS to supply-chain compromise and spear-phishing.
• In July 2024 APT24 compromised a regional Taiwan digital marketing firm, impacting more than 1,000 domains and suffering multiple re-compromises.
• GTIG added identified websites, domains, and files to Safe Browsing blocklists and issued victim notifications to help remediation.

What to watch next

• Malicious or modified JavaScript that performs browser fingerprinting (e.g., FingerprintJS usage) and injects fake update dialogs to Windows visitors.
• Artifacts of DLL search order hijacking and unexpected DLLs loaded alongside legitimate executables, plus presence of encrypted archive helpers (VBS, BAT, LNK).
• HTTP requests to unusual domains carrying long, hashed cookie values that may represent beaconing and payload retrieval.

Quick glossary

• Advanced Persistent Threat (APT): A resourceful and often state-linked threat actor or group that conducts long-term cyber espionage or intrusion campaigns against specific targets.
• Cobalt Strike Beacon: A post-exploitation payload commonly used for remote command-and-control, lateral movement, and payload staging; distributed commercially as an adversary simulation tool but frequently abused by threat actors.
• DLL search order hijacking (sideloading): A technique where attackers place a malicious DLL in a location where a legitimate application will load it instead of the intended library, causing execution under the context of a trusted process.
• Control flow flattening: An obfuscation method that restructures program logic into dispatcher-controlled blocks to make static and dynamic analysis of code paths more difficult.
• Supply-chain attack: An intrusion that targets software, service, or distribution providers to compromise downstream customers by altering legitimate components or infrastructure.

Reader FAQ

Who is APT24?
Described in the report as a PRC-nexus threat actor conducting long-running cyber espionage.

What is BADAUDIO?
A custom C++ first-stage downloader that uses heavy obfuscation, collects basic host data, and fetches AES-encrypted payloads from hard-coded C2 servers.

Does BADAUDIO always deploy Cobalt Strike?
Not confirmed in the source.

What actions did GTIG take after discovery?
GTIG added identified sites, domains, and files to Safe Browsing blocklists and issued victim notifications with technical details to affected organizations.

Written by: Harsh Parashar, Tierra Duncan, Dan Perez Google Threat Intelligence Group (GTIG) is tracking a long-running and adaptive cyber espionage campaign by APT24, a People's Republic of China (PRC)-nexus…

Sources

• Beyond the Watering Hole: APT24's Pivot to Multi-Vector Attacks
• Beyond the Watering Hole: APT24's Pivot to Multi-Vector Attacks
• New Chrome Zero-Day, Sneaky 2FA Phishing Kit …
• Beyond the Watering Hole: APT24's Pivot to Multi-Vector …

Related posts

• Sanctioned Intellexa Continues to Deploy Multiple Mobile Zero-Day Exploits
• Multiple Threat Actors Exploiting React2Shell (CVE-2025-55182)
• Microsoft fixes 60+ Windows vulnerabilities in November Patch Tuesday, including zero-day