APT24 BadAudio multi-delivery espionage campaign
Campaign
Summary
Hide ▲
Show ▼
APT24 is running a three-year espionage campaign with BadAudio that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since 2022, the group has used spearphishing, supply-chain compromise, and watering hole attacks to deliver the malware. The campaign compromised more than 20 legitimate public websites and later abused a Taiwanese marketing firm's JavaScript supply chain to reach more than 1,000 domains. The targeting focused exclusively on Windows systems, and a separate spearphishing wave began in August 2024 using animal-rescue lures and cloud services.
Related Happenings
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
Campaign
First: 22.05.2026 14:30
Last: 22.05.2026 14:30
Sources 1
About this happening:
**Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
CampaignAbout this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...
Lucifer DaaS’s evolution into a commission-based drainer service platform
Threat Actor Meta
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
**Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...
Lucifer DaaS’s evolution into a commission-based drainer service platform
Threat Actor MetaAbout this happening: **Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
Campaign
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
CampaignAbout this happening: A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...
Webworm multi-country targeting campaign against government and enterprise victims
Campaign
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm multi-country targeting campaign against government and enterprise victims
CampaignAbout this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm expanded European government and South Africa university espionage campaign
Campaign
First: 20.05.2026 14:30
Last: 20.05.2026 14:30
Sources 1
About this happening:
Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Webworm expanded European government and South Africa university espionage campaign
CampaignAbout this happening: Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...
Timeline
-
21.11.2025 00:12 2 articles · 6mo ago
APT24 BadAudio espionage campaign disclosed
Initial DisclosureGoogle Threat Intelligence Group described APT24 as running a three-year espionage campaign with previously undocumented BadAudio malware against Windows systems, using spearphishing, supply-chain compromise, and watering hole attacks. The campaign compromised more than 20 legitimate public websites from November 2022 until at least September 2025, repeatedly compromised a digital marketing company in Taiwan that distributed JavaScript libraries, enabled compromise of more than 1,000 domains, and in some spearphishing variants used animal-rescue lures, Google Drive, and OneDrive for delivery.
Show sources
- Google exposes BadAudio malware used in APT24 espionage campaigns — www.bleepingcomputer.com — 21.11.2025 00:12
- APT24 Deploys BADAUDIO in Years-Long Espionage Hitting Taiwan and 1,000+ Domains — thehackernews.com — 21.11.2025 12:42