China-linked APT24 hackers have been using a previously undocumented malware called BadAudio in a three-year espionage campaign that recently switched to more sophisticated attack methods.
Since 2022, the malware has been delivered to victims through multiple methods that include spearphishing, supply-chain compromise, and watering hole attacks.
Campaign evolution
From November 2022 until at least September 2025, APT24 compromised more than 20 legitimate public websites from various domains to inject malicious JavaScript code that selected visitors of interest - the focus was exclusively on Windows systems.
Researchers at Google Threat Intelligence Group (GTIG) say that the script fingerprinted visitors who qualified as targets and loaded a fake software update pop-up to lure them into downloading BadAudio.
APT24's fake update pop-up
Source: Google
Starting July 2024, APT24 compromised multiple times a digital marketing company in Taiwan that provides JavaScript libraries to client websites.
Through this tactic, the attackers injected malicious JavaScript into a widely used library that the firm distributed, and registered a domain name that impersonated a legitimate Content Delivery Network (CDN). This enabled the attacker to compromise more than 1,000 domains.
From late 2024 until July 2025, APT24 repeatedly compromised the same marketing firm by injecting malicious, obfuscated JavaScript into a modified JSON file, which was loaded by a separate JavaScript file from the same vendor.
... continue reading