The Fake Chrome Patch that Unfolds the Pothole
- Javier Conejo del Cerro
- hace 1 día
- 3 Min. de lectura
For nearly three years, a silent intruder has been moving through digital corridors with near-perfect stealth. Known as APT24, this China-nexus threat actor has orchestrated a persistent espionage operation targeting Taiwan and selected U.S. entities by deploying BADAUDIO, a heavily obfuscated downloader engineered for discretion, resilience, and long-term access. Through a combination of watering-hole attacks, supply-chain compromises, and precise spear-phishing campaigns, APT24 has demonstrated how a disciplined adversary can infiltrate highly regulated sectors, exploit trusted infrastructure, and maintain covert access while continuously delivering AES-encrypted payloads such as Cobalt Strike. This campaign illustrates how modern espionage groups blend infrastructure hijacking, tailored victim fingerprinting, DLL hijacking, and poisoned JavaScript libraries to compromise thousands of systems in parallel without triggering alarms.
Phase 1 — Silent Positioning: Strategic Targeting of Victims
APT24’s operational focus shows a carefully curated victim set tied to geopolitical and industrial intelligence priorities. The campaign targeted government, healthcare, construction, engineering, mining, nonprofit, and telecommunications sectors across Taiwan and the U.S. The attackers compromised more than 20 legitimate websites to identify and filter targets before delivery, ensuring only specific visitors would receive malicious payloads. A second wave breached a Taiwanese regional digital marketing firm, enabling APT24 to weaponize one of its distributed JavaScript libraries and hijack over 1,000 domains in a supply-chain cascade. Parallel spear-phishing waves—using animal-rescue–themed lures and tracking pixels to confirm who opened each message—allowed precise victim selection, further widening the pool of compromised endpoints while minimizing exposure.
Phase 2 — Stealthy Execution: Multi-Vector Initial Access
The campaign’s entry methods reveal a layered and adaptive intrusion strategy.
First, APT24 deployed watering-hole attacks in which carefully injected JavaScript fingerprinted visitors, excluded macOS/iOS/Android devices, and displayed fake Chrome update pop-ups only to validated Windows targets.
Second, the attackers used a supply-chain breach of a widely distributed JavaScript library from the Taiwanese marketing firm. The compromised script contacted a typosquatted CDN domain controlled by APT24, retrieved attacker-hosted JavaScript, fingerprinted the machine, and prompted the victim to download BADAUDIO. For ten days in August 2025, filtering conditions were lifted, temporarily exposing all 1,000+ domains.
Finally, spear-phishing delivered encrypted archives containing BADAUDIO, relying on DLL Search Order Hijacking for execution via legitimate binaries. Each method ensured that only the intended targets received malware, minimizing noise and limiting detection opportunities.
Phase 3 — Payload Deployment: BADAUDIO and Long-Term Control
Once executed, BADAUDIO operated as a highly obfuscated C++ downloader designed to frustrate analysis through control-flow flattening and encrypted payload handling. It first collected system information and exfiltrated it to the C2 server, which responded with an AES-encrypted payload—sometimes a Cobalt Strike Beacon. BADAUDIO typically arrived as a malicious DLL and retained persistence through DLL Search Order Hijacking using legitimate processes.
Recent variants were packaged in encrypted archives containing DLLs, VBS scripts, BAT files, and LNK files, enabling a modular execution chain. After initial validation, BADAUDIO maintained covert communication, downloaded additional encrypted payloads, and set the foundation for extended espionage operations, granting APT24 long-term visibility and remote control within targeted networks.
Measures to Fend Off the Intruder
Block malicious, typosquatted, or suspicious CDN domains associated with JavaScript supply-chain attacks.
Enforce integrity validation for all third-party JavaScript libraries and external scripts.
Harden browser environments against fake-update attack chains via controlled update policies.
Restrict DLL side-loading, especially for unsigned or untrusted archives delivered via cloud services.
Deploy EDR/XDR capable of detecting AES-encrypted payload retrieval, browser fingerprinting scripts, and DLL Search Order Hijacking.
Monitor for anomalous JavaScript behavior, including domain redirection and conditional delivery mechanisms.
The BADAUDIO campaign demonstrates how modern APT operations rely on quieter, more persistent approaches rather than high-volume exploitation. APT24 combined watering-holes, supply-chain compromise, targeted phishing, malicious JavaScript, and DLL hijacking to infiltrate organizations in a controlled and sustained manner, avoiding the broad indicators that defenders typically expect. Its long-running infrastructure, adaptive delivery methods, and encrypted payload chains underscore a shift toward espionage that blends into legitimate traffic and trusted supply channels. Defending against such intrusions demands continuous script integrity checks, DNS and CDN scrutiny, restrictive loading policies, and behavioral detection capable of identifying stealthy pre-execution techniques. In a threat landscape where the intruder moves quietly, resilience depends on shutting down every path that enables them to walk unnoticed through the network.
The Hacker News
Comentarios