BADAUDIO first-stage downloader activity
Malware Activity
Summary
Hide ▲
Show ▼
The BADAUDIO malware is now documented as a first-stage downloader that can decrypt and execute AES-encrypted payloads from a hard-coded C2 server, increasing the risk of follow-on compromise on infected hosts. It has been seen in a nearly three-year operation that began in November 2022. Recent delivery chains use malicious DLLs and encrypted archives with VBS, BAT, and LNK files.
Related Happenings
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware Activity
H score49
First: 02.06.2026 21:21
Last: 02.06.2026 21:21
Sources 1
About this happening:
**Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware ActivityAbout this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Latest development: 09.06.2026 15:26
Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.
Beagle backdoor distributed via fake Claude site and DLL sideloading
Malware Activity
H score23
First: 07.05.2026 16:15
Last: 07.05.2026 16:15
Sources 1
About this happening:
The **Beagle** backdoor is now being distributed through a **fake Claude website**, putting **Windows users** at risk of infection through a **DLL sideloading chain**. The lure de...
Beagle backdoor distributed via fake Claude site and DLL sideloading
Malware ActivityAbout this happening: The **Beagle** backdoor is now being distributed through a **fake Claude website**, putting **Windows users** at risk of infection through a **DLL sideloading chain**. The lure de...
Ghost campaign remote access trojan payload
Malware Activity
H score30
First: 24.03.2026 16:30
Last: 24.03.2026 16:30
Sources 1
About this happening:
A malicious **npm** payload tied to the **Ghost campaign** began in **early February** and used **fake installation logs** to hide a **remote access trojan (RAT)** that could stea...
Ghost campaign remote access trojan payload
Malware ActivityAbout this happening: A malicious **npm** payload tied to the **Ghost campaign** began in **early February** and used **fake installation logs** to hide a **remote access trojan (RAT)** that could stea...
Dohdoor backdoor activity on Windows endpoints
Malware Activity
H score23
First: 26.02.2026 17:17
Last: 26.02.2026 17:17
Sources 1
About this happening:
A new **Dohdoor** backdoor is being used to provide **DNS-over-HTTPS (DoH)** C2 and **reflective payload execution** on **Windows** endpoints, increasing stealth and post-compromi...
Dohdoor backdoor activity on Windows endpoints
Malware ActivityAbout this happening: A new **Dohdoor** backdoor is being used to provide **DNS-over-HTTPS (DoH)** C2 and **reflective payload execution** on **Windows** endpoints, increasing stealth and post-compromi...
UAT-10027 U.S. education and healthcare targeting campaign
Campaign
H score34
First: 26.02.2026 17:17
Last: 26.02.2026 17:17
Sources 1
About this happening:
**UAT-10027** is running an active **campaign** against **U.S. education and healthcare organizations**, and the activity matters because it delivers a new backdoor and supporting...
UAT-10027 U.S. education and healthcare targeting campaign
CampaignAbout this happening: **UAT-10027** is running an active **campaign** against **U.S. education and healthcare organizations**, and the activity matters because it delivers a new backdoor and supporting...
Timeline
-
21.11.2025 12:42 2 articles · 7mo ago
BADAUDIO first-stage downloader activity
Initial DisclosureAt execution, BADAUDIO commonly appears as a **malicious DLL** or archive payload that uses **DLL Search Order Hijacking** to launch through legitimate software. It then reaches out to **C2** and pulls down the next stage.
Show sources
- APT24 Deploys BADAUDIO in Years-Long Espionage Hitting Taiwan and 1,000+ Domains — thehackernews.com — 21.11.2025 12:42
- APT24 Deploys BADAUDIO in Years-Long Espionage Hitting Taiwan and 1,000+ Domains — thehackernews.com — 21.11.2025 12:42