Overview
- Google’s Threat Intelligence Group attributes the campaign to the China-linked APT24 group and says activity ran from late 2022 through at least September 2025.
- Compromised sites fingerprinted visitors and showed selective fake software‑update prompts to deliver the Windows‑only loader through watering holes and supply‑chain inserts.
- BadAudio uses heavy obfuscation with control‑flow flattening and DLL search‑order hijacking, then reports host details before fetching and running encrypted payloads in memory via DLL sideloading.
- In one observed case the malware deployed a Cobalt Strike Beacon, while shared samples showed weak antivirus visibility with most flagged by five or fewer VirusTotal engines.
- Parallel spearphishing since August 2024 impersonated animal rescue groups, sometimes hosting encrypted archives on Google Drive or OneDrive and embedding tracking pixels to refine targeting.