BADAUDIO first-stage downloader activity
Malware Activity
Summary
Hide ▲
Show ▼
The BADAUDIO malware is now documented as a first-stage downloader that can decrypt and execute AES-encrypted payloads from a hard-coded C2 server, increasing the risk of follow-on compromise on infected hosts. It has been seen in a nearly three-year operation that began in November 2022. Recent delivery chains use malicious DLLs and encrypted archives with VBS, BAT, and LNK files.
Related Happenings
Beagle backdoor distributed via fake Claude site and DLL sideloading
Malware Activity
First: 07.05.2026 16:15
Last: 07.05.2026 16:15
Sources 1
About this happening:
The **Beagle** backdoor is now being distributed through a **fake Claude website**, putting **Windows users** at risk of infection through a **DLL sideloading chain**. The lure de...
Beagle backdoor distributed via fake Claude site and DLL sideloading
Malware ActivityAbout this happening: The **Beagle** backdoor is now being distributed through a **fake Claude website**, putting **Windows users** at risk of infection through a **DLL sideloading chain**. The lure de...
Ghost campaign remote access trojan payload
Malware Activity
First: 24.03.2026 16:30
Last: 24.03.2026 16:30
Sources 1
About this happening:
A malicious **npm** payload tied to the **Ghost campaign** began in **early February** and used **fake installation logs** to hide a **remote access trojan (RAT)** that could stea...
Ghost campaign remote access trojan payload
Malware ActivityAbout this happening: A malicious **npm** payload tied to the **Ghost campaign** began in **early February** and used **fake installation logs** to hide a **remote access trojan (RAT)** that could stea...
Dohdoor backdoor activity on Windows endpoints
Malware Activity
First: 26.02.2026 17:17
Last: 26.02.2026 17:17
Sources 1
About this happening:
A new **Dohdoor** backdoor is being used to provide **DNS-over-HTTPS (DoH)** C2 and **reflective payload execution** on **Windows** endpoints, increasing stealth and post-compromi...
Dohdoor backdoor activity on Windows endpoints
Malware ActivityAbout this happening: A new **Dohdoor** backdoor is being used to provide **DNS-over-HTTPS (DoH)** C2 and **reflective payload execution** on **Windows** endpoints, increasing stealth and post-compromi...
UAT-10027 U.S. education and healthcare targeting campaign
Campaign
First: 26.02.2026 17:17
Last: 26.02.2026 17:17
Sources 1
About this happening:
**UAT-10027** is running an active **campaign** against **U.S. education and healthcare organizations**, and the activity matters because it delivers a new backdoor and supporting...
UAT-10027 U.S. education and healthcare targeting campaign
CampaignAbout this happening: **UAT-10027** is running an active **campaign** against **U.S. education and healthcare organizations**, and the activity matters because it delivers a new backdoor and supporting...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation Wave
First: 20.02.2026 23:07
Last: 20.02.2026 23:07
Sources 1
About this happening:
**CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation WaveAbout this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
Timeline
-
21.11.2025 12:42 2 articles · 6mo ago
BADAUDIO first-stage downloader activity
Initial DisclosureAt execution, BADAUDIO commonly appears as a **malicious DLL** or archive payload that uses **DLL Search Order Hijacking** to launch through legitimate software. It then reaches out to **C2** and pulls down the next stage.
Show sources
- APT24 Deploys BADAUDIO in Years-Long Espionage Hitting Taiwan and 1,000+ Domains — thehackernews.com — 21.11.2025 12:42
- APT24 Deploys BADAUDIO in Years-Long Espionage Hitting Taiwan and 1,000+ Domains — thehackernews.com — 21.11.2025 12:42