APT24 BadAudio multi-delivery espionage campaign
Campaign
Summary
Hide ▲
Show ▼
APT24 is running a three-year espionage campaign with BadAudio that has expanded into multiple delivery methods, increasing the operation's reach and stealth. Since 2022, the group has used spearphishing, supply-chain compromise, and watering hole attacks to deliver the malware. The campaign compromised more than 20 legitimate public websites and later abused a Taiwanese marketing firm's JavaScript supply chain to reach more than 1,000 domains. The targeting focused exclusively on Windows systems, and a separate spearphishing wave began in August 2024 using animal-rescue lures and cloud services.
Related Happenings
Rokarolla device-profiling targeting campaign
Campaign
H score32
First: 16.06.2026 23:04
Last: 16.06.2026 23:04
Sources 1
About this happening:
The **Rokarolla** Android campaign now profiles infected devices to assign a **unique identifier** to each victim, enabling repeated tracking and coordinated financial-fraud activ...
Rokarolla device-profiling targeting campaign
CampaignAbout this happening: The **Rokarolla** Android campaign now profiles infected devices to assign a **unique identifier** to each victim, enabling repeated tracking and coordinated financial-fraud activ...
UNC6508 China-linked REDCap espionage campaign
Campaign
H score39
First: 15.06.2026 17:00
Last: 15.06.2026 17:00
Sources 1
About this happening:
**UNC6508** ran a **China-linked espionage campaign** against **exposed REDCap servers** used by **North American medical, academic, and military research networks**. The operatio...
UNC6508 China-linked REDCap espionage campaign
CampaignAbout this happening: **UNC6508** ran a **China-linked espionage campaign** against **exposed REDCap servers** used by **North American medical, academic, and military research networks**. The operatio...
Outsider Enterprise-Outsider-Chinese cybercrime alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score69
First: 12.06.2026 21:59
Last: 12.06.2026 21:59
Sources 1
About this happening:
The **Outsider Enterprise** is a **Chinese phishing-as-a-service** operation that used **Telegram**, **AI**, and distributed phishing kits to run large-scale brand-impersonation c...
Outsider Enterprise-Outsider-Chinese cybercrime alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: The **Outsider Enterprise** is a **Chinese phishing-as-a-service** operation that used **Telegram**, **AI**, and distributed phishing kits to run large-scale brand-impersonation c...
Outsider Telegram-run smishing campaign targeting Americans
Campaign
H score53
First: 12.06.2026 21:59
Last: 12.06.2026 21:59
Sources 1
About this happening:
The **Outsider Enterprise** happening is a **phishing-as-a-service** campaign tied to a **Chinese cybercrime network** that used **AI** and distributed phishing kits to impersonat...
Outsider Telegram-run smishing campaign targeting Americans
CampaignAbout this happening: The **Outsider Enterprise** happening is a **phishing-as-a-service** campaign tied to a **Chinese cybercrime network** that used **AI** and distributed phishing kits to impersonat...
Latest development: 14.06.2026 17:36
The FBI, working with Google and Black Lotus Labs, dismantled Outsider Enterprise, a Chinese phishing-as-a-service operation that used AI and distributed phishing kits to impersonate trusted brands in texts sent through AT&T, T-Mobile and Verizon. The takedown included seizures of administration servers, a Shopify e-commerce storefront, a testing account, around $100,000 USDT and a Telegram bot linked to the service, while Google pursued civil action and coordinated with carriers to block fraudulent messages.
AudiA6 laundering ecosystem and Dark2Web forum
Threat Actor Meta
H score31
First: 11.06.2026 18:55
Last: 11.06.2026 18:55
Sources 1
About this happening:
**AudiA6** was disrupted as an **industrial-scale cryptocurrency laundering service** used by **ransomware gangs** and other cybercriminal networks. Europol said the ecosystem lau...
AudiA6 laundering ecosystem and Dark2Web forum
Threat Actor MetaAbout this happening: **AudiA6** was disrupted as an **industrial-scale cryptocurrency laundering service** used by **ransomware gangs** and other cybercriminal networks. Europol said the ecosystem lau...
Timeline
-
21.11.2025 00:12 2 articles · 7mo ago
APT24 BadAudio espionage campaign disclosed
Initial DisclosureGoogle Threat Intelligence Group described APT24 as running a three-year espionage campaign with previously undocumented BadAudio malware against Windows systems, using spearphishing, supply-chain compromise, and watering hole attacks. The campaign compromised more than 20 legitimate public websites from November 2022 until at least September 2025, repeatedly compromised a digital marketing company in Taiwan that distributed JavaScript libraries, enabled compromise of more than 1,000 domains, and in some spearphishing variants used animal-rescue lures, Google Drive, and OneDrive for delivery.
Show sources
- Google exposes BadAudio malware used in APT24 espionage campaigns — www.bleepingcomputer.com — 21.11.2025 00:12
- APT24 Deploys BADAUDIO in Years-Long Espionage Hitting Taiwan and 1,000+ Domains — thehackernews.com — 21.11.2025 12:42