Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime,
Government
Three-Year Espionage Campaign Targets Taiwanese Firms
Security researchers have uncovered a multi-year espionage operation attributed to a hacking group with suspected ties to the Chinese government. This sustained campaign, lasting three years, has focused on infiltrating Taiwanese companies using a sophisticated variant of malware.
According to Google Cloud, the group known as APT24 has been active since 2011 and initiated this campaign in 2022. Their operations employed a variety of attack vectors to infiltrate Taiwanese businesses, deploying malware identified as BADAUDIO. This malware functions as a downloader that gathers essential system data, enabling hackers to maintain access within compromised networks. As a result of the group’s persistent strategies, they have successfully evaded detection during multiple compromises.
In a notable example from July 2024, APT24 executed a supply chain attack by breaching a regional digital marketing company in Taiwan, affecting over 1,000 domains. The firm has since experienced recurrent compromises, demonstrating the group’s ongoing commitment to its operations.
APT24, also referred to as G0011, PITTY PANDA, and Temp.Pittytiger, has predominantly focused on theft of intellectual property linked to projects of significant strategic interest to China. Their primary targets include industries in Taiwan and the United States, specifically within the healthcare, construction, engineering, mining, and nonprofit sectors.
The cybercriminals deployed various iterations of BADAUDIO, which began with a watering hole attack method. This initial execution involved injecting malicious JavaScript into 20 websites, which upon user visit prompted a download of the malware. Subsequently, in July 2024, a shift occurred towards exploiting supply chain vulnerabilities by embedding malicious scripts in widely used JavaScript libraries.
By May 2025, the methods had evolved to encompass social engineering tactics, utilizing platforms such as Google Drive and OneDrive for the distribution of encrypted archives containing BADAUDIO. Once entry was achieved, the attackers further deployed the malware via search order hijacking, a technique that prioritizes malicious files over legitimate software executions.
Upon compromise, the malware collects critical system data, including hostname, username, and architecture specifics. This information is hashed and transmitted covertly to command-and-control servers, enhancing the threat actors’ ability to operate unnoticed.
Google has observed a broader trend of state-sponsored actors using increasingly stealthy techniques to bypass security measures. The company has initiated steps to dismantle the malware’s infrastructure and has notified clients affected by these breaches.
