The advanced persistent threat group APT24, also known as Pitty Tiger and Rancor, has been linked to a years-long cyber-espionage campaign that deployed a novel malware named BADAUDIO. This operation, part of a broader campaign dubbed “Trolling Twin,” primarily focused on targets in Taiwan, with its infrastructure affecting over 1,000 domains worldwide. The group’s activities have been documented by cybersecurity researchers who analyzed the custom tools and techniques used for data exfiltration.

BADAUDIO’s Stealthy Exfiltration Method

The centerpiece of this campaign is the BADAUDIO malware, a sophisticated data exfiltration tool. Its primary function is to steal sensitive information and encode it into the WAVE audio file format. This unique technique uses MIDI-like audio tones to represent the stolen data, making it difficult to detect through conventional network monitoring. Researchers observed that the malware abuses the legitimate Windows Audio Codec Manager, specifically the msacm32.drv library, to carry out its encoding and compression operations. This method allows the threat actor to exfiltrate data from compromised networks under the guise of normal audio traffic.

Campaign Targets and Infrastructure

The espionage campaign conducted by APT24 demonstrated a clear focus on entities within Taiwan, including government organizations and technology firms. The operation’s reach was extensive, utilizing a command-and-control (C2) infrastructure that involved more than 1,000 domains. To support its operations, the threat actor compromised network devices, including routers from manufacturers like ASUS and DrayTek, to use as C2 servers. In addition to BADAUDIO, the group was also observed using other hacking tools such as the PLUGX remote access trojan (RAT) and Cobalt Strike during their intrusions.

The consistent and long-term nature of this campaign highlights the persistent threat posed by APT24. The use of custom malware like BADAUDIO demonstrates the group’s investment in developing specialized tools to achieve its espionage objectives against specific geopolitical targets.