Google’s latest threat intelligence report reveals how BadAudio malware powered long-running espionage campaigns linked to APT24. Google researchers analysed activity that began in late 2022 and continued through 2025. Their findings show a coordinated effort built on stealth, layered infection chains, and persistent access methods. The investigation highlights how advanced groups improve their tools while avoiding detection for years.
APT24’s Multi-Vector Approach
APT24 expanded its delivery methods across several channels. The group relied on spear-phishing to lure specific targets with tailored messages and malicious attachments. It also used watering-hole attacks by compromising legitimate websites that victims visited. Supply-chain compromise played a major role as well. The attackers injected malicious JavaScript into a marketing firm’s library used on multiple websites. Each method helped APT24 reach victims without triggering immediate alarms.
These vectors ensured broad coverage across different environments. The supply-chain element proved especially effective because many organisations trusted the compromised script. Any site that loaded the altered library unknowingly helped distribute BadAudio. This approach aligned with current threat trends, where adversaries use indirect access rather than direct intrusion.
How BadAudio Operated
BadAudio used defensive evasion techniques that weakened detection. The malware used DLL search order hijacking to load malicious components through trusted applications. It ran payloads directly in memory to reduce traces on disk. Heavy obfuscation concealed its logic, including control flow manipulation that made analysis difficult.
Google’s research showed that BadAudio rarely triggered antivirus alerts. Only two samples reached moderate detection levels on VirusTotal. Most versions remained invisible to many engines. This allowed APT24 to maintain persistence across high-value environments while gathering intelligence unnoticed.
Once deployed, BadAudio opened a channel for encrypted communication. It downloaded additional payloads and expanded its capabilities inside the compromised system. The attackers used this framework to collect sensitive information and observe internal workflows.
Long-Term Espionage Activity
The campaign began in November 2022 and remained active through September 2025. APT24 adapted its methods as the operation advanced. The attackers updated infrastructure, refined payloads, and replaced components that showed signs of exposure. Their tactics demonstrated long-term planning and continuous improvement.
Google noted that APT24 used the operation to access networks linked to governmental, strategic, and policy-related sectors. The group focused on environments where long surveillance periods created significant intelligence value. The stealth of BadAudio helped extend those periods.
Why Organisations Should Pay Attention
BadAudio underlines the importance of stronger visibility across internal and external dependencies. The campaign shows how a single compromised JavaScript library can spread malware across multiple organisations. It also shows that memory-resident payloads and DLL hijacking require defensive layers that go beyond signature-based solutions.
Security teams should audit third-party scripts, monitor unusual DLL loading paths, and deploy behaviour-based detection tools. Regular validation of supply-chain components becomes essential, especially as more groups adopt this tactic. Continuous monitoring of network activity helps reveal anomalies tied to encrypted command-and-control communication.
Final Thoughts
BadAudio malware exposes how APT24 strengthened its espionage operations with stealth, layered infection vectors, and persistent access strategies. Google’s findings show that indirect compromise remains a powerful attack method. Organisations must improve supply-chain defenses and detection coverage to limit the impact of similar campaigns in the future.
