BADAUDIO
BADAUDIO is a highly obfuscated C++ first-stage downloader used by the China-nexus threat actor APT24 in a multi-year cyberespionage campaign active from at least November 2022 through September 2025. It primarily targeted Windows systems, with reporting indicating a focus on organizations in Taiwan and the United States and sectors including healthcare, construction, mining, non-profits, and telecommunications. Delivery methods directly mentioned include watering hole attacks on more than 20 legitimate public websites, a supply-chain compromise of a Taiwanese digital marketing firm that affected over 1,000 domains, and spear-phishing campaigns including lures spoofing an animal rescue organization. Separate campaigns also abused Google Drive and OneDrive to distribute encrypted archives containing BADAUDIO, and phishing emails included tracking pixels to confirm opens.
Technically, BADAUDIO is described as a first-stage downloader implemented as a DLL and using DLL search order hijacking. It employs heavy obfuscation, including control flow flattening and structured-logic disruption, to resist reverse engineering and evade detection. The malware gathers host/system information, with one report noting that system information was embedded in cookie headers when communicating with command-and-control infrastructure. It can download, decrypt, and execute AES-encrypted payloads from a hard-coded C2 server, including second-stage payloads such as Cobalt Strike Beacon. Reporting also states that payloads may be decrypted and executed in memory.
Associated campaign tradecraft includes browser fingerprinting using FingerprintJS, fake Chrome/software update pop-ups, typosquatted CDN infrastructure for malicious JavaScript delivery, and selective targeting of Windows users while excluding macOS, iOS, and Android visitors. Additional activity mentioned in connection with the broader campaign includes persistent remote access, encrypted payload delivery, and use of SSH backdoors, certificate spoofing, and proxy routing via hijacked routers. High-confidence indicators mentioned at a general level include malicious DLLs, encrypted archives, suspicious file access, network requests to typosquatted CDN domains, and related GTI IOC collections made available by Google.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A China-nexus threat actor has been conducting a sophisticated, multi-year espionage campaign using a custom malware downloader, compromising regional infrastructure…
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques"APT24 targeted over 20 public websites with illicit JavaScript code that displayed a bogus software update pop-up, tricking Windows users into downloading BadAudio"
"more than 1,000 domains compromised through a supply chain attack against a Taiwanese digital marketing firm beginning July 2024"
"APT24 concurrently conducted highly targeted social engineering campaigns. Lures, such as an email purporting to be from an animal rescue organization, leveraged social engineering to elicit user interaction and drive direct malware downloads from attacker-controlled domains."
"spear-phishing intrusions that involved animal rescue organization spoofing beginning August 2024"
Execution
1 technique"...leveraged social engineering to elicit user interaction and drive direct malware downloads..."
Stealth
1 technique"Execution of BadAudio, which disrupts programs' structured logic for obfuscation"
Discovery
1 techniqueCommand and Control
2 techniques"before downloading and executing an AES-encrypted payload"
"before downloading and executing an AES-encrypted payload"
Exfiltration
1 techniqueRecent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Previously undocumented malware used for persistent remote access in a multi-year espionage campaign attributed to APT24.
An espionage tool or campaign used by APT24, leveraging watering holes, JavaScript supply-chain compromise, and phishing to target government and strategic sectors.
BADAUDIO is a highly obfuscated C++ first-stage downloader used by APT24 for espionage. It establishes persistent remote access, conducts reconnaissance, and delivers AES-encrypted payloads (including Cobalt Strike) while evading detection through advanced techniques such as DLL search order hijacking and in-memory payload execution.
BadAudio is a malware used by APT24 to conduct cyberespionage, notably leveraging supply chain attacks to scale its operations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.