A China-linked advanced persistent threat (APT) group, known as APT24 or “SockDetour,” has waged a multi-year cyber espionage campaign targeting various entities across Southeast Asia. Security researchers recently uncovered the group’s use of a previously undocumented malware known as “BadAudio,” marking a significant evolution in their tactics, techniques, and procedures (TTPs).
This covert campaign, active since at least 2020, highlights the group’s transition from using commodity tools to more sophisticated, custom malware to evade detection and maximize intelligence gathering.
Espionage Activity Spanned Three Years With a Custom Malware Arsenal
Investigators attribute the espionage operations to APT24 based on shared infrastructure, overlapping malware code, and tactical similarities with previously reported campaigns conducted by the same threat actor. BadAudio is believed to be part of a growing custom malware toolkit developed to meet the operational demands of long-term surveillance.
According to researchers, the campaign remained under the radar for nearly three years due to APT24’s emphasis on stealth and modular attack chains. The use of novel malware frameworks, combined with a strategic targeting approach, allowed the actors to collect intelligence without triggering standard endpoint detection and response (EDR) systems.
BadAudio Malware Offers Advanced Capabilities for Targeted Surveillance
APT24 deployed BadAudio primarily in second-stage attack phases after gaining initial access through spear phishing or exploiting vulnerable internet-facing systems. Once inside the network, BadAudio enabled a wide range of surveillance capabilities.
Capabilities of BadAudio Include:
- Harvesting credentials and session tokens from infected hosts
- Dumping NTLM (NT LAN Manager) hashes for lateral movement
- Executing arbitrary commands remotely
- Deploying additional payloads for data exfiltration
BadAudio is written in a modular fashion, allowing threat actors to update or swap functionalities without rewriting the core loader. Researchers noted that its codebase shares functionality similarities with other malware previously deployed by APT24, further solidifying attribution.
Threat Actors Shift Toward More Sophisticated Attack Chains
Unlike earlier operations where APT24 leveraged open-source and commodity malware tools, the recent campaign demonstrates a clear evolution in tradecraft. The threat actors now favor modular malware implants and stealth persistence techniques, making detection and attribution more complex.
This shift suggests that Chinese cyber espionage groups are heavily investing in bespoke tooling to ensure long-term access and uninterrupted surveillance.
APT24 also employed techniques such as:
- DLL side-loading via signed binaries to bypass signature validation
- Use of scheduled tasks or registry run keys for persistence
- Encrypting command-and-control (C2) traffic to evade traffic inspection mechanisms
These evolving TTPs place increased demand on defenders to adopt advanced threat detection tools and proactive threat hunting strategies to mitigate such long-term activity.
Southeast Asia Remains a Focal Point for Chinese State-Backed Espionage
APT24’s operations were primarily focused on government and telecom entities within Southeast Asia, although researchers have not ruled out the possibility of a broader victim set. This geographic focus aligns with China’s long-standing regional strategic interests and its expanding cyber-intelligence capabilities.
The persistent nature of the campaign and the deployment of custom malware show the prioritization of long-term information collection over disruptive tactics. By maintaining silent access, the threat actors could exfiltrate politically or economically relevant data over extended periods.
Detection and Mitigation Strategies for Network Defenders
Defending against advanced persistent threats like APT24 requires a proactive and layered approach. Due to the stealthy and modular nature of tools like BadAudio, traditional signatures may not be effective for reliable detection.
Recommended Strategies Include:
- Baseline behavioral monitoring to detect anomalies that deviate from normal user activity
- PowerShell and WMI (Windows Management Instrumentation) command auditing, often abused during lateral movement
- Incorporation of detection rules for DLL side-loading and unusual parent-child process relationships
- Monitoring system registry and scheduled task changes for persistence indicators
Incident responders are also encouraged to investigate any signs of anomalous encrypted outbound connections, which could be indicative of obfuscated command-and-control traffic.
APT24’s Playbook Highlights Ongoing China-Backed Espionage Efforts
APT24’s recent activities using BadAudio malware reflect a broader trend of increasingly sophisticated cyber espionage campaigns conducted by China-backed threat actors. The nation-state group’s long-term targeting of high-value regional entities underscores their emphasis on strategic information gathering.
With evidence pointing to a concerted shift from commodity malware to custom implants, organizations in targeted regions must invest in threat intelligence and modern detection capabilities to stay ahead of advanced threat actors. BadAudio, while newly discovered, may not be the only proprietary malware in APT24’s toolkit as the group continues to refine and bolster its espionage operations.
