APT24's Pivot to Multi-Vector Attacks | Google Cloud Blog

Link

APT24 erweitert Arsenal: Von Watering-Hole zu Multi-Vektor-Angriffen auf Taiwan

Wie die Google Threat Intelligence Group (GTIG) in einer aktuellen Analyse aufdeckt, setzt die Hackergruppe seit drei Jahren den hochgradig verschleierten Downloader BADAUDIO ein – und hat dabei ihre Taktik von breit gestreuten Watering-Hole-Angriffen auf komplexe Multi-Vektor-Operationen erwei..

https://www.all-about-security.de/apt24-erweitert-arsenal-von-watering-hole-zu-multi-vektor-angriffen-auf-taiwan/

#cybersecurity #cyberattack #APT #APT24 #GoogleThreatIntelligence #hackers #DLLHijacking

#BadAudio #malware: how #APT24 scaled its cyberespionage through supply chain Attacks
https://securityaffairs.com/184941/apt/badaudio-malware-how-apt24-scaled-its-cyberespionage-through-supply-chain-attacks.html
#securityaffairs #hacking

#Google exposes #BadAudio #malware used in #APT24 #espionage campaigns

https://www.bleepingcomputer.com/news/security/google-exposes-badaudio-malware-used-in-apt24-espionage-campaigns/

#cybersecurity

"Google Threat Intelligence Group (GTIG) is tracking a long-running and adaptive cyber espionage campaign by APT24, a People's Republic of China (PRC)-nexus threat actor. Spanning three years, APT24 has been deploying BADAUDIO, a highly obfuscated first-stage downloader used to establish persistent access to victim networks.

While earlier operations relied on broad strategic web compromises to compromise legitimate websites, APT24 has recently pivoted to using more sophisticated vectors targeting organizations in Taiwan. This includes the repeated compromise of a regional digital marketing firm to execute supply chain attacks and the use of targeted phishing campaigns.

This report provides a technical analysis of the BADAUDIO malware, details the evolution of APT24's delivery mechanisms from 2022 to present, and offers actionable intelligence to help defenders detect and mitigate this persistent threat.

As part of our efforts to combat serious threat actors, GTIG uses the results of our research to improve the safety and security of Google’s products and users. Upon discovery, all identified websites, domains, and files are added to the Safe Browsing blocklist in order to protect web users across major browsers. We also conducted a series of victim notifications with technical details to compromised sites, enabling affected organizations to secure their sites and prevent future infections."

https://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks

#CyberSecurity #China #WateringHole #APT24 #Badaudio #Phishing #Taiwan #MultiVectorAttacks

GTIG is tracking a multi-year APT24 cyberespionage campaign leveraging the BADAUDIO downloader.

Notable elements:
• Control-flow flattening + DLL Search Order Hijacking
• Targeted supply chain compromises impacting 1K+ domains
• Cobalt Strike Beacon (shared watermark w/ prior APT24 ops)
• Cloud-hosted phishing + JS injection on legitimate sites
• Strategic web compromise → selective payload delivery

Full report:
https://www.technadu.com/chinese-apt24-cyberespionage-campaign-targets-taiwan-with-badaudio-malware/614191/

Follow @technadu for daily threat intelligence.

#APT24 #BADAUDIO #CyberEspionage #ChinaCyber #GTIG #SupplyChainAttack #Taiwan #CobaltStrike #Malware #ThreatIntel