Chinese APT24 Conducts Multi-Year Cyberespionage Campaign Using Evolving Malware Techniques

Google’s Threat Intelligence Group (GTIG) has released new findings on a highly persistent, three-year cyberespionage campaign carried out by APT24, a long-standing Chinese state-linked threat actor. Also known as G0011, Pitty Panda, and Pitty Tiger, the group has been active since at least 2008 and is best known for spear-phishing and sophisticated social engineering operations.

Overview of the Campaign

The ongoing activity tracked by Google shows that APT24 has significantly expanded its operational toolkit. In addition to traditional phishing, the threat actor adopted:

• Strategic website compromises

• Repeated supply chain intrusions

• Abuse of legitimate cloud storage

• Targeted social engineering combined with malware delivery

A major part of its operations focused on organizations in Taiwan, enabled in part by repeatedly compromising a regional digital marketing company whose services reached thousands of websites.

BadAudio: APT24’s Updated First-Stage Malware

At the center of this campaign is BadAudio, a custom C++ downloader used to deploy follow-on payloads such as Cobalt Strike beacons.

Key features of BadAudio include:

• Encrypted communication: Uses a hardcoded AES key to encrypt system information sent to the command-and-control (C2) server.

• Fileless execution: Decrypts and executes payloads directly in memory.

• DLL search order hijacking: Executed as a DLL loaded unintentionally by legitimate applications.

• Multi-file deployment: Delivered in archives containing VBS, BAT, and LNK files that automate installation, persistence, and sideloading.

GTIG notes that while Cobalt Strike was confirmed in at least one incident, it’s unclear whether all BadAudio deployments led to this tool.

Strategic Web Compromises and Supply Chain Attacks

Beginning in late 2022, APT24 compromised at least 20 websites, injecting malicious JavaScript designed to:

1. Perform initial reconnaissance

2. Validate Windows-based victims

3. Present fake pop-up dialogs encouraging users to download BadAudio

The group escalated this tactic in July 2024 by breaching a digital marketing firm in Taiwan. Over 1,000 customer websites inadvertently served malicious scripts as part of this supply chain attack.

APT24 re-compromised the same firm multiple times across 2024–2025, transitioning from JavaScript tampering to injecting malicious code into JSON files—a technique less likely to be noticed during code reviews.

In June 2025, the group selectively targeted only one website via ID-based conditional script loading, but by August the conditions were removed, and all 1,000+ domains loaded the malicious payload.

Additional Espionage Techniques

APT24 blended its technical attacks with psychologically sophisticated operations, including:

• Highly targeted spear-phishing emails

• Pixel tracking to monitor when victims opened messages

• Use of reputable cloud storage platforms to disguise malware distribution

Conclusion

GTIG describes the three-year operation as a clear demonstration of APT24’s steadily evolving capabilities and China-nexus threat actors’ broader sophistication. Their ability to combine supply chain compromise, cloud platform abuse, dynamic malware delivery, and tailored social engineering highlights a highly adaptive and determined espionage strategy.

The report reinforces the need for organizations to broaden supply-chain security measures, continuously audit third-party JavaScript integrations, and maintain visibility across both cloud and user endpoints.