APT24, a threat actor referred from Chinese cyber criminal group, has been observed employing multiple techniques to deploy malware as part of a three-year-long cyberespionage campaign, Google reports.
Also tracked as G0011, Pitty Panda, and Pitty Tiger, APT24 has been active since at least 2008, mainly relying on spear phishing and social engineering to achieve its goals.
As part of the long-standing campaign tracked by Google Threat Intelligence Group (GTIG), the APT has updated its techniques, adding strategic web compromises, and the repeated compromise of a regional digital marketing firm in supply chain attacks against organizations in Taiwan.
In these attacks, APT24 has used a custom C++ first-stage downloader dubbed BadAudio, designed to fetch, decrypt, and execute an AES-encrypted payload from its hardcoded command-and-control (C&C) server.
“The malware collects basic system information, encrypts it using a hard-coded AES key, and sends it as a cookie value with the GET request to fetch the payload,” which is decrypted using the same key, and then executed in memory, GTIG explains.
BadAudio is deployed as a DLL and uses search order hijacking for execution. Recent versions have been dropped in archives also containing VBS, BAT, and LNK files, designed to automate the malware’s placement, to achieve persistence, and trigger the DLL’s sideloading.
In one attack, the hackers used BadAudio to deploy a Cobalt Strike beacon containing a relatively unique watermark observed in another APT24 campaign. However, it is unclear if Cobalt Strike was deployed in all incidents.
Starting in November 2022, the APT has compromised at least 20 websites, injecting a malicious JavaScript payload that would target Windows systems for reconnaissance and victim validation.
Subsequently, a pop-up dialog would be displayed to convince the victim to download and run BadAudio.
As part of the long-standing campaign tracked by Google Threat Intelligence Group (GTIG), the APT has updated its techniques, adding strategic web compromises, and the repeated compromise of a regional digital marketing firm in supply chain attacks against organizations in Taiwan.
In these attacks, APT24 has used a custom C++ first-stage downloader dubbed BadAudio, designed to fetch, decrypt, and execute an AES-encrypted payload from its hardcoded command-and-control (C&C) server.
“The malware collects basic system information, encrypts it using a hard-coded AES key, and sends it as a cookie value with the GET request to fetch the payload,” which is decrypted using the same key, and then executed in memory, GTIG explains.
BadAudio is deployed as a DLL and uses search order hijacking for execution. Recent versions have been dropped in archives also containing VBS, BAT, and LNK files, designed to automate the malware’s placement, to achieve persistence, and trigger the DLL’s sideloading.
In one attack, the hackers used BadAudio to deploy a Cobalt Strike beacon containing a relatively unique watermark observed in another APT24 campaign. However, it is unclear if Cobalt Strike was deployed in all incidents.
Starting in November 2022, the APT has compromised at least 20 websites, injecting a malicious JavaScript payload that would target Windows systems for reconnaissance and victim validation. Subsequently, a pop-up dialog would be displayed to convince the victim to download and run BadAudio.
In July 2024, the hackers compromised a regional digital marketing firm in Taiwan, affecting over 1,000 domains as part of the supply chain attack. Over the past year, the APT re-compromised the firm multiple times.
Initially, the threat actor injected a malicious script into a JavaScript library provided by the marketing firm. In a re-compromise identified in July 2025, they placed the script in a JSON file loaded by another modified JavaScript file.
In June 2025, the APT employed conditional script loading based on the ID of the websites loading the compromised third-party scripts, pointing to the tailored targeting of a single domain. In August, however, the conditions were lifted and 1,000 sites loaded the malicious script.
Simultaneously, the group conducted highly targeted social engineering attacks. It was also seen abusing legitimate cloud storage platforms for malware distribution and using pixel tracking links to keep track of victims opening their emails.
“This nearly three-year campaign is a clear example of the continued evolution of APT24’s operational capabilities and highlights the sophistication of [China]-nexus threat actors.
The use of advanced techniques like supply chain compromise, multi-layered social engineering, and the abuse of legitimate cloud services demonstrates the actor’s capacity for persistent and adaptive espionage,” GTIG notes.
