APT24, also known as Pitty Tiger, is a China-nexus APT group active since at least 2008, known for targeting government, healthcare, construction, mining, nonprofit, and telecommunications sectors primarily in the U.S. and Taiwan. The latest campaign involves a previously undocumented malware named BADAUDIO, a highly obfuscated C++ backdoor that uses DLL search order hijacking (MITRE ATT&CK T1574.001) to execute malicious DLLs via legitimate applications. BADAUDIO acts as a first-stage downloader, retrieving AES-encrypted payloads from hard-coded command and control servers, which can include Cobalt Strike beacons for further exploitation. Initial access vectors include watering hole attacks, spear-phishing with animal rescue-themed lures, and supply chain compromises. Notably, in July 2024, APT24 compromised a regional digital marketing firm in Taiwan to inject malicious JavaScript into a widely used library, affecting over 1,000 domains. The injected scripts fingerprint visitors using FingerprintJS, exclude non-Windows platforms, and serve fake Google Chrome update pop-ups to deliver BADAUDIO. The group employs tracking pixels in phishing emails to tailor attacks and uses cloud services like Google Drive and Microsoft OneDrive to host encrypted payloads. The campaign demonstrates advanced operational security, including conditional script loading for targeted attacks and temporary broad compromises. APT24’s malware arsenal also includes CT RAT, MM RAT, Paladin RAT, Leo RAT, and Taidoor backdoors, indicating a long-standing capability for espionage and network persistence. The campaign’s sophistication and persistence highlight a strategic espionage effort focused on Taiwan and related sectors, with potential spillover risks to organizations globally that share supply chains or sectoral profiles.

For European organizations, the impact of this threat lies primarily in espionage, data exfiltration, and potential long-term network compromise. Organizations in sectors similar to those targeted by APT24—such as government agencies, healthcare providers, telecommunications firms, and engineering companies—are at risk, especially if they have business or supply chain links with Taiwan or the Asia-Pacific region. The supply chain attack vector is particularly concerning, as it can silently compromise thousands of domains and downstream customers, potentially affecting European companies relying on affected third-party JavaScript libraries. The use of sophisticated evasion techniques and multi-stage payload delivery increases the difficulty of detection and remediation, potentially leading to prolonged unauthorized access and intellectual property theft. Additionally, the abuse of legitimate cloud services for payload hosting complicates network defense strategies. While the campaign currently focuses on Taiwan and the U.S., the global nature of supply chains and digital services means European entities could be indirectly impacted, risking confidentiality breaches and operational disruptions.

European organizations should implement targeted defenses beyond generic advice: 1) Conduct thorough supply chain risk assessments focusing on third-party JavaScript libraries and digital marketing vendors, especially those with ties to Asia-Pacific. 2) Employ advanced endpoint detection and response (EDR) solutions capable of detecting DLL search order hijacking and unusual DLL loads within legitimate processes. 3) Monitor network traffic for connections to suspicious or typosquatted domains, particularly those mimicking CDNs, and implement DNS filtering to block known malicious infrastructure. 4) Harden email security by deploying anti-phishing technologies that analyze embedded tracking pixels and suspicious attachments, and conduct user awareness training with emphasis on spear-phishing tactics involving social engineering themes like animal rescue. 5) Use application allowlisting and restrict execution of scripts and binaries from untrusted sources, including blocking execution of encrypted archives from cloud storage services. 6) Implement browser security controls to detect and block malicious JavaScript injections and fingerprinting attempts. 7) Regularly audit and update software to patch known vulnerabilities exploited by APT24’s earlier malware families. 8) Establish incident response plans specifically addressing supply chain compromises and multi-stage malware infections to enable rapid containment and remediation.