The Chinese-sponsored threat group known as APT24, also referred to as Pitty Panda, has been tracked by security researchers for nearly two decades, with activity dating back to at least 2008. The group focuses on sectors like government, healthcare, telecommunications, and construction in the U.S. and Taiwan. Historically, their attacks relied on broad strategic web compromises and phishing emails exploiting known software flaws to deliver malware. Over the years, APT24 has been linked to a variety of custom malware families, including CT RAT, MM RAT (Goldsun-B), and variants of Gh0st RAT such as Paladin RAT and Leo RAT, in addition to the backdoor Taidoor (Roudan).
APT24 is assessed to share a close relationship with another advanced persistent threat group known as Earth Aughisky. This link is evidenced by Earth Aughisky’s use of the Taidoor backdoor in its operations and its leveraging of network infrastructure previously associated with APT24 campaigns that deployed a different backdoor called Specas. Both the Specas and Taidoor malware strains have a shared technical trait, which involves reading proxy configuration settings from a specific file path within the Windows system, indicating a likely connection or shared development resource between the two threat groups.
Recent findings from Google Threat Intelligence Group (GTIG) highlight a significant shift in APT24’s operational approach, pivoting toward more targeted and sophisticated vectors against Taiwanese entities. This includes the repeated compromise of a digital marketing firm to execute dangerous supply chain attacks and highly targeted spear-phishing campaigns. The group’s current campaign, which has been active since November 2022, relies on these initial access vectors, as well as watering holes, to deploy the previously undocumented malware dubbed BADAUDIO.
BADAUDIO is a highly obfuscated malware developed in C++ that uses complex techniques like control flow flattening to actively resist reverse engineering efforts. It functions as a first-stage downloader, designed to gather basic system information from the infected host and transmit it to a hard-coded command-and-control (C2) server. In response, the C2 server sends back an AES-encrypted payload—sometimes a sophisticated tool like Cobalt Strike Beacon—for BADAUDIO to decrypt and execute. The malware typically achieves execution by manifesting as a malicious Dynamic Link Library (DLL) that leverages DLL Search Order Hijacking (MITRE ATT&CK T1574.001) within legitimate applications, with newer variants employing encrypted archives containing the malicious DLL alongside various script and shortcut files.
From late 2022 through at least early September 2025, APT24 compromised over 20 legitimate websites for use in watering hole attacks. The attackers injected malicious JavaScript into these sites, which was specifically configured to exclude mobile and macOS users, generate a unique browser fingerprint, and then present a fake pop-up prompting users to download BADAUDIO under the pretense of a Google Chrome update. Furthermore, starting in July 2024, the group broadened its scope by breaching a Taiwanese digital marketing firm. This breach facilitated a wide-ranging supply chain attack by injecting the malicious JavaScript into a commonly used JavaScript library distributed by the firm, which allowed APT24 to potentially hijack traffic on over 1,000 domains. This modified script was configured to communicate with a typosquatted domain impersonating a Content Delivery Network (CDN) to fetch the attacker’s script, fingerprint the visitor, and serve the BADAUDIO download pop-up only after validation.
Reference:
