Google Threat Intelligence Group (GTIG) researchers Harsh Parashar, Tierra Duncan and Dan Perez reported that a China-nexus actor known as APT24 deployed a previously undocumented malware family called BADAUDIO to maintain persistent remote access in a campaign that began in November 2022 and continued into 2025.
APT24, also tracked as Pitty Tiger, has targeted government, healthcare, construction and engineering, mining, nonprofit and telecommunications sectors, researchers said. The group name was assigned in prior reporting, and FireEye analysts have long believed the actor has operated since about 2008, historically using weaponized Office documents that exploited flaws such as CVE-2012-0158 and CVE-2014-1761. Malware families linked to the actor include CT RAT, variants of Enfal/Lurid Downloader and multiple RATs and backdoors.
BADAUDIO is a highly obfuscated C++ downloader that uses techniques such as control flow flattening to resist analysis. GTIG says it typically appears as a malicious DLL that leverages DLL search order hijacking for execution, collects basic system information, and then downloads and decrypts an AES-encrypted payload from a hard-coded command-and-control server; in at least one instance the second-stage payload was a Cobalt Strike Beacon.
The campaign used a mix of watering holes, supply chain compromises and spear-phishing for initial access. From November 2022 to at least September 2025 the actor is estimated to have compromised more than 20 legitimate sites, excluding visitors from macOS, iOS and Android, fingerprinting browsers and serving a fake Google Chrome update to deliver BADAUDIO. In July 2024 the group breached a regional digital marketing firm in Taiwan and injected malicious JavaScript into a widely distributed third-party library, enabling the actor to hijack more than 1,000 domains by fetching attacker-controlled scripts from a typosquatted CDN; researchers say a ten-day period in August briefly allowed all affected domains to be targeted.
GTIG also attributes targeted phishing since August 2024 to the same activity cluster, with lures tied to an animal rescue organization used to elicit responses and deliver BADAUDIO via encrypted archives hosted on Google Drive and Microsoft OneDrive. The phishing messages included tracking pixels to determine which recipients opened the emails, allowing attackers to tailor subsequent engagement. Researchers warned the combination of supply-chain compromise, multi-layered social engineering and abuse of legitimate cloud services indicates sustained, adaptive espionage capability.
Separately, security firm CyberArmor detailed a related China-nexus campaign named Autumn Dragon targeting government and media organizations in Southeast Asia; that activity uses RAR archives exploiting a WinRAR flaw to deliver staged payloads and employs DLL sideloading and Telegram-based command-and-control. The CyberArmor report describes multi-stage implants capable of running commands, executing DLLs and shellcode, updating configuration and exfiltrating data.