Find notable cyber news and cases, enriched with sources, timelines, and signals.

BadAudio malware delivery and loader activity

Malware Activity
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The BadAudio malware was used in a sustained delivery-and-loader operation that enabled payload staging against Windows victims, including at least one observed Cobalt Strike Beacon deployment. Since 2022, the malware has been delivered through spearphishing, supply-chain compromise, and watering hole attacks. It also used DLL search order hijacking and in-memory execution to reduce visibility. The activity mattered because it combined stealthy delivery with staged payload execution across a multi-year operation.

Related Happenings

SPECTRALVIPER DLL sideloading backdoor activity

Malware Activity
H score31 First: 11.06.2026 12:45 Last: 11.06.2026 12:45 Sources 1

About this happening: The **SPECTRALVIPER** backdoor was executed on affected **Windows** hosts through a **DLL sideloading** chain during **October 2025 to March 2026**, giving operators a way to run...

GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy

Malware Activity
H score41 First: 29.05.2026 01:24 Last: 29.05.2026 01:24 Sources 1

About this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...

Windows zero-day exploitation wave

Exploitation Wave
H score38 First: 17.04.2026 09:14 Last: 17.04.2026 09:14 Sources 1

About this happening: **BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....

Latest development: 23.04.2026 14:05

CISA added BlueHammer, tracked as CVE-2026-33825, to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch Microsoft Defender on Windows systems within two weeks, until May 7. The federal directive targets ongoing zero-day abuse of the flaw on U.S. government systems.

Plain-crypto-js remote-access Trojan delivery

Malware Activity
H score30 First: 31.03.2026 23:55 Last: 31.03.2026 23:55 Sources 1

About this happening: The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...

Latest development: 04.04.2026 23:30

Google Threat Intelligence Group linked the Axios npm compromise to UNC1069, a financially motivated North Korea-nexus threat actor, based on the use of WAVESHAPER.V2 and overlaps with infrastructure artifacts used by UNC1069 in past activity. The Axios maintainers also wiped affected systems, reset all credentials, and are implementing changes to prevent similar incidents.

Remcos RAT runtime decryption and dynamic API loading analysis

Technical Analysis
H score23 First: 19.02.2026 18:30 Last: 19.02.2026 18:30 Sources 1

About this happening: A newly observed **Remcos RAT** variant now uses **runtime decryption** and **dynamic Windows API loading** to reduce detection and frustrate static analysis on **Windows systems*...

Timeline

  1. 21.11.2025 00:12 2 articles · 7mo ago

    APT24 BadAudio malware disclosure

    Initial Disclosure

    Google Threat Intelligence Group disclosed that China-linked APT24 had used the previously undocumented BadAudio malware in a three-year espionage campaign against Windows systems, with delivery paths including spearphishing, supply-chain compromise, and watering hole attacks. The analysis also described compromised public websites, a compromised digital marketing company in Taiwan, malicious JavaScript used to fingerprint selected visitors, and at least one observed deployment of Cobalt Strike Beacon through BadAudio.

    Show sources