APT24 Uses BADAUDIO Malware and Supply Chain Attacks Against Taiwan

APT24, a long-running China-linked hacking group also tracked as G0011, PITTY PANDA and Temp.Pittytiger, has conducted a three-year espionage campaign targeting Taiwanese organizations using a custom downloader family called BADAUDIO. Google Cloud’s threat intelligence team reports that since 2022, APT24 has shifted tactics between watering-hole compromises, JavaScript supply-chain tampering and cloud-storage social engineering to deliver BADAUDIO to victims in healthcare, construction, engineering, mining and nonprofit sectors. These operations map to MITRE ATT&CK T1189 (Drive-by Compromise), T1195 (Supply Chain Compromise) and T1566 (Phishing) for initial access. In one notable 2024 incident, APT24 compromised a regional digital marketing firm in Taiwan, weaponizing its widely used JavaScript library to inject malicious scripts across more than 1,000 domains. Earlier phases relied on watering-hole attacks that embedded FingerprintJS-based profiling into 20 websites, selectively serving BADAUDIO installers to high-value visitors. By mid-2024 the group pivoted to supply-chain insertion and, by May 2025, began distributing encrypted BADAUDIO archives via Google Drive and OneDrive links in socially engineered lures. After initial execution, BADAUDIO collects host information, establishes persistence and is often followed by search-order hijacking of legitimate Windows executables to load additional payloads. APT24’s targeting reflects Beijing’s strategic interest in sector-specific intellectual property, particularly in technology and infrastructure projects relevant to Taiwan and the United States. Persistent re-compromise of some victims underscores their commitment and adaptability; the marketing firm hit in 2024 experienced multiple re-intrusions as APT24 updated infrastructure and techniques. The group’s use of typosquatted CDN domains and mainstream cloud storage further helps them evade simple domain-based blocking and exploit enterprises’ reliance on trusted SaaS providers. Defending against APT24 requires layered controls at the web, endpoint and identity levels. Organizations should closely monitor for unexpected changes in JavaScript dependencies and implement subresource integrity (SRI) where possible, while logging and reviewing script loads from third-party CDNs. Email and collaboration defenses must inspect links to cloud storage services and detonate archives in sandboxes before delivery. On endpoints, robust EDR coverage with behavioral rules for DLL search-order hijacking and suspicious process chains from Office, browsers and cloud sync clients will improve detection odds.