BadAudio malware delivery and loader activity
Malware Activity
Summary
Hide ▲
Show ▼
The BadAudio malware was used in a sustained delivery-and-loader operation that enabled payload staging against Windows victims, including at least one observed Cobalt Strike Beacon deployment. Since 2022, the malware has been delivered through spearphishing, supply-chain compromise, and watering hole attacks. It also used DLL search order hijacking and in-memory execution to reduce visibility. The activity mattered because it combined stealthy delivery with staged payload execution across a multi-year operation.
Related Happenings
Plain-crypto-js remote-access Trojan delivery
Malware Activity
First: 31.03.2026 23:55
Last: 31.03.2026 23:55
Sources 1
About this happening:
The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...
Plain-crypto-js remote-access Trojan delivery
Malware ActivityAbout this happening: The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...
Latest development: 04.04.2026 23:30
Google Threat Intelligence Group linked the Axios npm compromise to UNC1069, a financially motivated North Korea-nexus threat actor, based on the use of WAVESHAPER.V2 and overlaps with infrastructure artifacts used by UNC1069 in past activity. The Axios maintainers also wiped affected systems, reset all credentials, and are implementing changes to prevent similar incidents.
Remcos RAT runtime decryption and dynamic API loading analysis
Technical Analysis
First: 19.02.2026 18:30
Last: 19.02.2026 18:30
Sources 1
About this happening:
A newly observed **Remcos RAT** variant now uses **runtime decryption** and **dynamic Windows API loading** to reduce detection and frustrate static analysis on **Windows systems*...
Remcos RAT runtime decryption and dynamic API loading analysis
Technical AnalysisAbout this happening: A newly observed **Remcos RAT** variant now uses **runtime decryption** and **dynamic Windows API loading** to reduce detection and frustrate static analysis on **Windows systems*...
Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)
Vulnerability
First: 12.02.2026 23:01
Last: 12.02.2026 23:01
Sources 1
About this happening:
**Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...
Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)
VulnerabilityAbout this happening: **Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...
APT36 / SideCopy phishing-led campaign targeting Indian defense organizations
Campaign
First: 11.02.2026 16:52
Last: 11.02.2026 16:52
Sources 1
About this happening:
A **phishing-led** **APT36 / SideCopy** campaign is targeting **Indian defense and government-aligned organizations**, using cross-platform **RATs** to steal sensitive data and ke...
APT36 / SideCopy phishing-led campaign targeting Indian defense organizations
CampaignAbout this happening: A **phishing-led** **APT36 / SideCopy** campaign is targeting **Indian defense and government-aligned organizations**, using cross-platform **RATs** to steal sensitive data and ke...
AshTag modular .NET backdoor deployment via sideloading
Malware Activity
First: 11.12.2025 13:00
Last: 11.12.2025 13:00
Sources 1
About this happening:
The **AshTag** backdoor was deployed through **DLL sideloading** and **in-memory execution**, enabling **persistence** and **remote command execution** in targeted environments. I...
AshTag modular .NET backdoor deployment via sideloading
Malware ActivityAbout this happening: The **AshTag** backdoor was deployed through **DLL sideloading** and **in-memory execution**, enabling **persistence** and **remote command execution** in targeted environments. I...
Timeline
-
21.11.2025 00:12 2 articles · 6mo ago
APT24 BadAudio malware disclosure
Initial DisclosureGoogle Threat Intelligence Group disclosed that China-linked APT24 had used the previously undocumented BadAudio malware in a three-year espionage campaign against Windows systems, with delivery paths including spearphishing, supply-chain compromise, and watering hole attacks. The analysis also described compromised public websites, a compromised digital marketing company in Taiwan, malicious JavaScript used to fingerprint selected visitors, and at least one observed deployment of Cobalt Strike Beacon through BadAudio.
Show sources
- Google exposes BadAudio malware used in APT24 espionage campaigns — www.bleepingcomputer.com — 21.11.2025 00:12
- Google exposes BadAudio malware used in APT24 espionage campaigns — www.bleepingcomputer.com — 21.11.2025 00:12