BadAudio malware delivery and loader activity
Malware Activity
Summary
Hide ▲
Show ▼
The BadAudio malware was used in a sustained delivery-and-loader operation that enabled payload staging against Windows victims, including at least one observed Cobalt Strike Beacon deployment. Since 2022, the malware has been delivered through spearphishing, supply-chain compromise, and watering hole attacks. It also used DLL search order hijacking and in-memory execution to reduce visibility. The activity mattered because it combined stealthy delivery with staged payload execution across a multi-year operation.
Related Happenings
SPECTRALVIPER DLL sideloading backdoor activity
Malware Activity
H score31
First: 11.06.2026 12:45
Last: 11.06.2026 12:45
Sources 1
About this happening:
The **SPECTRALVIPER** backdoor was executed on affected **Windows** hosts through a **DLL sideloading** chain during **October 2025 to March 2026**, giving operators a way to run...
SPECTRALVIPER DLL sideloading backdoor activity
Malware ActivityAbout this happening: The **SPECTRALVIPER** backdoor was executed on affected **Windows** hosts through a **DLL sideloading** chain during **October 2025 to March 2026**, giving operators a way to run...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
Windows zero-day exploitation wave
Exploitation Wave
H score38
First: 17.04.2026 09:14
Last: 17.04.2026 09:14
Sources 1
About this happening:
**BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Windows zero-day exploitation wave
Exploitation WaveAbout this happening: **BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Latest development: 23.04.2026 14:05
CISA added BlueHammer, tracked as CVE-2026-33825, to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch Microsoft Defender on Windows systems within two weeks, until May 7. The federal directive targets ongoing zero-day abuse of the flaw on U.S. government systems.
Plain-crypto-js remote-access Trojan delivery
Malware Activity
H score30
First: 31.03.2026 23:55
Last: 31.03.2026 23:55
Sources 1
About this happening:
The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...
Plain-crypto-js remote-access Trojan delivery
Malware ActivityAbout this happening: The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...
Latest development: 04.04.2026 23:30
Google Threat Intelligence Group linked the Axios npm compromise to UNC1069, a financially motivated North Korea-nexus threat actor, based on the use of WAVESHAPER.V2 and overlaps with infrastructure artifacts used by UNC1069 in past activity. The Axios maintainers also wiped affected systems, reset all credentials, and are implementing changes to prevent similar incidents.
Remcos RAT runtime decryption and dynamic API loading analysis
Technical Analysis
H score23
First: 19.02.2026 18:30
Last: 19.02.2026 18:30
Sources 1
About this happening:
A newly observed **Remcos RAT** variant now uses **runtime decryption** and **dynamic Windows API loading** to reduce detection and frustrate static analysis on **Windows systems*...
Remcos RAT runtime decryption and dynamic API loading analysis
Technical AnalysisAbout this happening: A newly observed **Remcos RAT** variant now uses **runtime decryption** and **dynamic Windows API loading** to reduce detection and frustrate static analysis on **Windows systems*...
Timeline
-
21.11.2025 00:12 2 articles · 7mo ago
APT24 BadAudio malware disclosure
Initial DisclosureGoogle Threat Intelligence Group disclosed that China-linked APT24 had used the previously undocumented BadAudio malware in a three-year espionage campaign against Windows systems, with delivery paths including spearphishing, supply-chain compromise, and watering hole attacks. The analysis also described compromised public websites, a compromised digital marketing company in Taiwan, malicious JavaScript used to fingerprint selected visitors, and at least one observed deployment of Cobalt Strike Beacon through BadAudio.
Show sources
- Google exposes BadAudio malware used in APT24 espionage campaigns — www.bleepingcomputer.com — 21.11.2025 00:12
- Google exposes BadAudio malware used in APT24 espionage campaigns — www.bleepingcomputer.com — 21.11.2025 00:12