Campaigns
From Watering Holes to Supply Chains: How APT24 Scales Cyber Espionage with BADAUDIO

From Watering Holes to Supply Chains: How APT24 Scales Cyber Espionage with BADAUDIO

APT24BADAUDIOSupplyChainAttack
Google’s Threat Intelligence Group (GTIG) has been following a long-running and flexible cyber espionage operation carried out by APT24, a threat actor linked to the People’s Republic of China (PRC). Over the last three years, APT24 has used BADAUDIO, a heavily obfuscated first stage downloader, to gain and maintain persistent access inside victim networks.

Indicators of Compromise

www.gerikinage.com
www.availableextens.com
jsdelivrs.com
www.brighyt.com
www.twisinbeth.com

APT Groups1

APT24CN

Summary of Actor:APT24, also known as 'Garden Panda', is a cyber espionage group believed to be operating out of China. The group primarily targets organizations in the aerospace, defense, and energy sectors. APT24 is known for its sophisticated phishing campaigns and the use of custom malware. General Features:APT24 employs a combination of social engineering, spear-phishing, and custom malware to gain access to target networks. They are known for their persistence and ability to remain hidden in compromised networks for extended periods. Related Other Groups: APT1,APT3,APT10 Indicators of Attack (IoA): Use of legitimate tools like PowerShell and Cobalt Strike Spear-phishing emails with malicious attachments Custom malware such as Beacon and HTTPBrowser Recent Activities and Trends: Latest Campaigns : APT24 recently launched a spear-phishing campaign targeting aerospace companies with a new strain of malware designed to exfiltrate sensitive information. The campaign involved the use of malicious Word documents containing macros. Emerging Trends : APT24 has been observed increasing their use of living-off-the-land techniques, utilizing legitimate administrative tools to move laterally within networks. They have also begun to focus more on targeting supply chains in the aerospace and defense sectors.

Pitty PandaG0011Temp.PittytigerEQGRPG0020APT-C-40Equation GroupTilded TeamPittyTigerPlatinum Colony

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1059.007-JavaScript

ID

Name

Analytic ID

Analytic Description

DET0264

Cross-Platform Detection of JavaScript Execution Abuse

AN0733

Detects JavaScript execution through WSH (wscript.exe, cscript.exe) or HTA (mshta.exe), particularly when spawned from Office macros, web browsers, or abnormal user paths. Correlates script execution with outbound network activity or system modification.

AN0734

Detects JavaScript for Automation (JXA) via osascript or compiled scripts using OSAKit APIs. Flags execution involving system modification, inter-process scripting, or browser abuse.

AN0735

Detects Node.js or JavaScript interpreter execution from web shells, cron jobs, or local users. Correlates execution with reverse shell behavior, file modifications, or abnormal outbound connections.


T1195.001-Compromise Software Dependencies and Development Tools

ID

Name

Analytic ID

Analytic Description

DET0009

Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress)

AN0021

Adversary manipulates dependencies/dev tools used by developers or CI: a package manager (npm/yarn/pnpm, pip/pipenv, nuget/dotnet, chocolatey/winget, maven/gradle) or a compiler/IDE downloads or restores content; files are written under project paths and execution paths (node_modules, packages, .nuget, .gradle, .m2, %AppData%\npm, %UserProfile%.cargo\bin, temp build dirs). First run of newly written components triggers scripts (preinstall/postinstall), shell/PowerShell spawning, or loader DLLs, followed by network egress to non-approved registries/CDNs.

AN0022

Developer or CI invokes package managers/compilers (apt/yum + build-essential, npm/yarn/pnpm, pip/pip3, gem, cargo, go, maven/gradle). These write executable or script files into PATH or project dirs and immediately execute embedded lifecycle hooks (preinstall/postinstall, setup.py, npm scripts) that spawn shells or curl/wget, followed by egress to unfamiliar registries or domains.

AN0023

Developer tools (Homebrew, pip, npm/yarn, Xcode builds) install or update dependencies; new Mach-O or scripts appear under /usr/local, /opt/homebrew, ~/Library/Application Support, project dirs (node_modules/.bin, venv/bin). First run spawns sh/zsh/osascript/curl and new outbound flows; Gatekeeper/AMFI may flag unsigned components.


T1574.001-DLL


ID

Name

Analytic ID

Analytic Description

DET0201

Detection Strategy for Hijack Execution Flow for DLLs

AN0577

DLL hijacking behaviors including unexpected DLL loads from non-standard directories, replacement of DLLs, phantom DLL insertion, redirection file creation, and substitution of legitimate DLLs. Defender correlates file system modifications, registry changes, and module load telemetry to detect abnormal DLL behavior in trusted processes.


T1082 - System Information Discovery

ID

Name

Analytic ID

Analytic Description

DET0525

System Discovery via Native and Remote Utilities

AN1452

Process creation and command-line execution of native system discovery utilities such as systeminfo, hostname, wmic, or use of PowerShell/WMI for system enumeration.

AN1453

Execution of system enumeration commands such as uname, df, uptime, hostname, lscpu, and cat /etc/os-release through local terminal or scripts.

AN1454

Execution of system info utilities like systemsetup, sw_vers, uname, or sysctl by terminal or scripted processes.

AN1455

Execution of esxcli system hostname get, esxcli system version get, or esxcli hardware commands through SSH or local shell.

AN1456

Use of cloud API calls (e.g., AWS EC2 DescribeInstances, Azure VM Inventory) to enumerate system configurations across assets.

AN1457

Execution of show version, show hardware, or show system commands through CLI via SSH or console.


T1059 - Command and Scripting Interpreter


ID

Name

Analytic ID

Analytic Description

DET0516

Behavioral Detection of Command and Scripting Interpreter Abuse

AN1428

Detects the execution of scripting or command interpreters (e.g., powershell.exe, cmd.exe, wscript.exe) outside expected administrative time windows or from abnormal user contexts, often followed by encoded/obfuscated arguments or secondary execution events.

AN1429

Detects use of shell interpreters (e.g., bash, sh, python, perl) initiated by users or processes not normally executing them, especially when chaining suspicious utilities like netcat, curl, or ssh.

AN1430

Detects launch of command-line interpreters via Terminal, Automator, or hidden osascript, especially when parent process lineage deviates from user-initiated applications.

AN1431

Detects use of 'esxcli system' or direct interpreter commands (e.g., busybox shell) invoked from SSH or host terminal unexpectedly.

AN1432

Identifies CLI interpreter access (e.g., Cisco IOS, Juniper JUNOS) via enable mode or scripting-capable sessions used by uncommon accounts or from unknown IPs.


T1041 - Exfiltration Over C2 Channel

ID

Name

Analytic ID

Analytic Description

DET0348

Detection Strategy for Exfiltration Over C2 Channel

AN0988

Identifies suspicious outbound traffic volume mismatches from processes that typically do not generate network activity, particularly over C2 protocols like HTTPS, DNS, or custom TCP/UDP ports, following file or data access.

AN0989

Monitors for processes reading sensitive files then immediately initiating unusual outbound connections or bulk transfer sessions over persistent sockets, particularly with encrypted or binary payloads.

AN0990

Detects unauthorized applications or scripts accessing sensitive data followed by establishing encrypted outbound communication to rare external destinations or with abnormal byte ratios.

AN0991

Detects VMs sending outbound traffic through non-standard services or to unknown destinations. Exfiltration over reverse shells tunneled via VMkernel or custom payloads routed via hostd/vpxa.


T1189 - Drive-by Compromise

ID

Name

Analytic ID

Analytic Description

DET0176

Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189)

AN0498

Correlated evidence of anomalous browser/network behavior (suspicious external resource fetches and script injection patterns) followed by atypical child processes, ephemeral execution contexts, memory modification or process injection, and unexpected file drops. Defender sees network requests to previously unseen/suspicious domains or resources + browser process spawning unusual children or loading unsigned modules + file writes or registry changes shortly after those requests.

AN0499

Correlated evidence of browser or webview fetches to uncommon domains or mutated JS resources (proxy/NGFW logs + Zeek/HTTP logs) followed by unexpected interpreters or script engines executing (python, ruby, sh) spawned from browser processes or user sessions, rapid on-disk staging in /tmp, and outbound connections that deviate from baseline. Defender sees: uncommon resource fetch → short-lived child process executions from user browser context → file writes in temp directories → anomalous outbound C2-like connections.

AN0500

Correlated evidence where Safari/Chrome/WebKit-based processes issue network requests for uncommon or obfuscated JS resources followed by spawning of script interpreters, launchd or ad-hoc binaries, unusual child processes, or dynamic library loads into browser processes. Defender sees: proxy/HTTP logs with suspicious resource content + unifiedlogs/ASL showing browser/plugin crashes or extension loads + process events indicating child process creation and file writes to /var/folders or /tmp shortly after the fetch.

AN0501

Post-compromise identity & session anomalies that follow a drive-by compromise: token reuse from new/unfamiliar IPs, anomalous sign-in patterns for previously inactive users, unexpected consent/grant events, or provisioning changes. Defender sees an endpoint/browser compromise (network + endpoint signals) followed by unusual IdP events: new refresh token issuance, consent/consent-grant events, odd MFA bypass patterns, or unusual OAuth client registrations.


T1105 - Ingress Tool Transfer

ID

Name

Analytic ID

Analytic Description

DET0060

Detect Ingress Tool Transfers via Behavioral Chain

AN0165

Unusual or uncommon processes initiate network connections to external destinations followed by file creation (tools downloaded).

AN0166

Shell-based tools (curl, wget, scp) initiate connections to external domains followed by creation of executable files on disk.

AN0167

Process execution of curl or wget followed by a network connection and a file created in temporary or user-specific directories.

AN0168

Command line interface or vCLI triggers remote transfer using wget or curl, writing files into datastore paths or local tmp directories.

AN0169

Network device logs show anomalous inbound file transfers or uncharacteristic flows with high payload volume to network devices with storage or automation hooks.


Reports & References1

Observed Countries1

TW (842)