Date: 2025-11-22 | Classification: TLP:CLEAR

Executive Summary

Google Threat Intelligence Group (GTIG) publicly disclosed a multi-year espionage campaign by APT24 (also tracked as Budminer/Pitty Panda) deploying a custom first-stage downloader named BADAUDIO. The campaign uses strategic web compromises, repeated supply-chain compromise of a Taiwanese regional digital marketing firm (impacting ~1,000 domains), targeted phishing, and abuse of legitimate cloud services to distribute highly obfuscated DLL-based loaders. GTIG linked BADAUDIO to in-memory execution of AES-encrypted staged payloads and to at least one Cobalt Strike Beacon instance (identified via a watermark). VirusTotal enrichment validates multiple BADAUDIO binary hashes as malicious. The campaign presents a HIGH risk to organizations in the impacted region and to those consuming third-party JavaScript libraries from the compromised vendor.

Investigation Scope

• Objective: Corroborate and expand on TheHackerNews coverage of APT24 / BADAUDIO using independent sources, extract and enrich IOCs, and evaluate infrastructure and TTPs.
• Timeframe: Activity observed from November 2022 through November 2025 (per GTIG chronology).
• Sources: Google Threat Intelligence Group (GTIG) blog (primary technical analysis), SecurityWeek, Broadcom/Symantec protection bulletin, TheHackerNews, VirusTotal, WhoisXML DNS lookups, Shodan, FOFA, Protos Threat Feed.

Key Findings

HIGH Confidence

• GTIG documented a persistent, multi-year APT24 campaign deploying a custom first-stage downloader "BADAUDIO" (C++ DLL) that decrypts AES-encrypted payloads and executes them in memory. BADAUDIO uses control-flow flattening obfuscation and collects minimal system metadata to plant in a cookie for C2. (Source: GTIG blog; corroborated by SecurityWeek/Broadcom)
• The actor executed supply-chain compromises of a regional digital marketing firm in Taiwan in July 2024, affecting approximately 1,000 downstream domains. The actor re-compromised the supplier multiple times through 2025 and evolved the delivery approach (e.g., embedding malicious code in JSON files loaded by JS). (Source: GTIG)
• GTIG published YARA rules and a list of SHA256 hashes for BADAUDIO binaries. VirusTotal enrichment confirms multiple hashes (example: 9ce49c07c6de...) are flagged as malicious by multiple engines. (Source: GTIG, VirusTotal)

MEDIUM Confidence

• GTIG observed conditional script loading and advanced fingerprinting (FingerprintJS/MurmurHash3) to validate targets before prompting a fake update/pop-up to trick Windows users into downloading the malware. This targeting reduced collateral impact and focused on Windows workstations. (Source: GTIG; corroborated in press)
• In at least one incident, the actor deployed a Cobalt Strike Beacon as a staged payload; GTIG reported a unique watermark observed in that Beacon. The watermark string is listed by GTIG; reviewers noted that the explicit watermark value in our artifacts could not be found in available raw tool outputs and requires direct GTIG scrape to verify. (Source: GTIG; partial verification via reviewer)

LOW Confidence / Needs further validation

• Several domain names and C2 endpoints observed in GTIG's IOC list (e.g., clients[.]brendns.workers[.]dev, wispy[.]geneva[.]workers[.]dev, twisinbeth[.]com) often use Cloudflare Workers or transient hosting; DNS/WHOIS enrichment returned no live DNS records for these entries. Further passive DNS or historical WHOIS queries are recommended to establish registrant/hosting patterns. (Source: WhoisXML, Shodan; further passive DNS needed)

Risk Assessment

Overall Risk: HIGH

• Rationale: The supply-chain attack scaled to ~1,000 domains, the malware's obfuscation and in-memory execution impede detection, and the actor's tailored targeting increases the likelihood of successful compromise of high-value systems. The presence of Cobalt Strike in at least one instance indicates potential for post-exploitation lateral movement and data exfiltration.

Recommendations

1. Immediate Hunting and Containment (Priority):
   • Hunt for GTIG-listed SHA256s across EDR and SIEM. Block and quarantine confirmed matches. (Confidence: HIGH)
   • Apply GTIG YARA rules to sandbox and static analysis pipelines to detect BADAUDIO variants. (Confidence: HIGH)
2. Network Protections (Priority):
   • Block or monitor outbound connections to GTIG-listed C2 domains at network perimeter and proxy layers. Note: some C2s use Cloudflare Workers subdomains and may not resolve via standard DNS; tune detection to HTTP host headers and SSL SNI fields. (Confidence: MEDIUM)
3. Supply-Chain Remediation:
   • Audit third-party JS libraries and the vendor's served artifacts for unexpected JSON/script modifications. If you used the affected vendor, rotate signing keys and rebuild assets. Notify CDN providers and request takedown of malicious artifacts. (Confidence: HIGH)
4. Email Defenses:
   • Block pixel-tracking URLs and monitor for cloud-storage shared file downloads that deliver encrypted archives; flag mail with tracking pixels originating from suspicious senders. (Confidence: MEDIUM)
5. Threat Hunting:
   • Use the Cobalt Strike watermark where available to correlate BEACON activity in network captures and EDR telemetry. (Confidence: MEDIUM)
6. Strategic:
   • Engage with the vendor's security team to ensure persistent fixes and monitor for re-compromise. Maintain communications with GTIG and vendors for updated IOCs and YARA rules. (Confidence: HIGH)

Tactics, Techniques, and Procedures (TTPs)

IOCs (Selected, with confidence)

• BADAUDIO binary SHA256s (HIGH):
  • 9ce49c07c6de455d37ac86d0460a8ad2544dc15fb5c2907ed61569b69eefd182 (VirusTotal: malicious)
  • d23ca261291e4bad67859b5d4ee295a3e1ac995b398ccd4c06d2f96340b4b5f8
  • cfade5d162a3d94e4cba1e7696636499756649b571f3285dd79dea1f5311adcd
  • f086c65954f911e70261c729be2cdfa2a86e39c939edee23983090198f06503c
• Strategic web compromise / supplier-stage domains (MEDIUM):
  • www[.]availableextens[.]com
  • www[.]twisinbeth[.]com
  • www[.]decathlonm[.]com
  • jsdelivrs[.]com
  • (full list in GTIG post; verify directly via GTIG collection)
• BADAUDIO C2 / endpoints (MEDIUM):
  • clients[.]brendns.workers[.]dev
  • wispy[.]geneva[.]workers[.]dev
  • www[.]cundis[.]com
  • tradostw[.]com
  • jarzoda[.]net
• Cobalt Strike watermark (MEDIUM): BeudtKgqnlm0Ruvf+VYxuw== (GTIG reported; direct verification pending)

Limitations & Evidence Notes

• Primary technical evidence originates from GTIG's analysis. Our artifact synthesis and IOC lists are based largely on GTIG's public report. The reviewer tasked with fact-checking noted that the GTIG blog post scrape was not present in the raw tool outputs available to the reviewer; re-scraping GTIG is recommended to fully validate verbatim IOCs and the watermark value.
• DNS/WHOIS lookups for several domains returned no records; this may reflect expired domains, sinkholes, Cloudflare Workers hosting, or transient infrastructure. Analysts should consult passive DNS and registrar history sources for deeper context.
• No sandbox detonation or enterprise internal telemetry review was performed by this investigation due to tool constraints and scope.

‍

Prepared by: Threat Intelligence Analyst Agent (Protos AI V2)

‍

‍