Chinese Cyberspies Deploy ‘BadAudio’ Malware via Supply Chain Attacks

A Chinese threat actor tracked as APT24 has been observed employing multiple techniques to deploy malware as part of a three-year-long cyberespionage campaign, Google reports.

Also tracked as G0011, Pitty Panda, and Pitty Tiger, APT24 has been active since at least 2008, mainly relying on spear phishing and social engineering to achieve its goals.

As part of the long-standing campaign tracked by Google Threat Intelligence Group (GTIG), the APT has updated its techniques, adding strategic web compromises, and the repeated compromise of a regional digital marketing firm in supply chain attacks against organizations in Taiwan.

In these attacks, APT24 has used a custom C++ first-stage downloader dubbed BadAudio, designed to fetch, decrypt, and execute an AES-encrypted payload from its hardcoded command-and-control (C&C) server.

“The malware collects basic system information, encrypts it using a hard-coded AES key, and sends it as a cookie value with the GET request to fetch the ...