November 26th – This Week’s Top Cybersecurity and Dark Web Stories

China’s APT24 Unmasked, Using Undetected ‘BadAudio’ Malware

A China-linked threat actor, APT24, has been running a sophisticated three-year espionage campaign using a previously undocumented malware strain named ‘BadAudio,’ according to Google Threat Intelligence Group (GTIG) researchers.

The campaign, which began in 2022, has recently escalated its attack methods, moving from traditional spearphishing and watering hole attacks to more complex supply-chain compromises.

Key Attack Tactics:

Supply-Chain Compromise: Starting in July 2024, APT24 repeatedly compromised a digital marketing company in Taiwan. By injecting malicious JavaScript into a widely used library distributed by the firm, the attackers were able to compromise over 1,000 domains. They also registered a domain impersonating a legitimate Content Delivery Network (CDN) to facilitate the spread.

Watering Hole Attacks: From late 2022 to at least September 2025, APT24 compromised more than 20 legitimate public websites, injecting malicious JavaScript to target specific visitors—exclusively Windows systems—with a fake software update pop-up to trick them into downloading BadAudio.

Spearphishing: Starting in August 2024, the group used emails impersonating animal rescue organizations as lures. In some cases, they used legitimate cloud services like Google Drive and OneDrive for malware distribution and included tracking pixels to confirm when a recipient opened the email.

GTIG analysis reveals that the BadAudio malware is heavily obfuscated to evade detection and analysis.

Evasion Techniques: It uses DLL search order hijacking to execute its malicious payload via a legitimate application. It also employs control flow flattening, a sophisticated obfuscation method that dismantles the program’s logic and forces analysts to manually trace the execution path.

Post-Infection: Once executed, BadAudio collects basic system details (hostname, username, architecture), encrypts the data, and sends it to a hard-coded command-and-control (C2) address before downloading and executing a final payload in memory. Researchers observed the deployment of the widely abused Cobalt Strike Beacon in at least one instance.

Despite being active for three years, APT24’s tactics have kept the malware largely undetected. Of eight samples analyzed by GTIG, most are flagged by fewer than five security solutions on the VirusTotal platform, highlighting the threat actor’s “capacity for persistent and adaptive espionage.”

CrowdStrike Insider Shares Internal Screenshots with ‘Scattered Lapsus$ Hunters’

CrowdStrike has confirmed that a former insider shared screenshots of internal systems with hackers. The images were subsequently leaked on Telegram by the threat actors collectively known as Scattered Lapsus$ Hunters, which includes members of ShinyHunters, Scattered Spider, and Lapsus$.

CrowdStrike stated that it identified and terminated the suspicious insider last month. Critically, the company emphasized that its systems were never compromised as a result of the incident, and no customer data was breached. The case has been turned over to law enforcement.

ShinyHunters claimed they had allegedly agreed to pay the insider $25,000 for network access and ultimately received SSO authentication cookies. However, they stated the insider’s access had already been shut down by CrowdStrike.

The same group is known for its extensive activity, having launched a data-leak site to extort dozens of companies following a massive wave of Salesforce breaches. Since the start of the year, the threat actors have targeted Salesforce customers with voice phishing attacks, breaching companies including Google, Cisco, and various LVMH subsidiaries. They also claimed responsibility for the Jaguar Land Rover (JLR) breach, which resulted in over £196 million in damages.

Recently, ShinyHunters and Scattered Spider were reported to be switching to a new ransomware-as-a-service platform named ShinySp1d3r. Furthermore, ShinyHunters claimed a new wave of data theft attacks impacting over 280 Salesforce instances, including high-profile names like LinkedIn, GitLab, and Atlassian. They compromised these instances by breaching Gainsight using secrets stolen in the Salesloft drift breach. DocuSign, however, has since reached out to the media to deny ShinyHunters’ claims of a data compromise.

US, UK, and Australia Sanction Russian ‘Bulletproof’ Hosting Firms for Enabling Global Cybercrime

In a coordinated international effort, the U.S. Treasury’s Office of Foreign Assets Control (OFAC), Australia, and the United Kingdom have announced sanctions targeting Russia-based ‘bulletproof hosting’ (BPH) providers and their enablers.

The trilateral action focuses on Media Land, a St. Petersburg-based BPH provider accused of offering specialized server access that helps cybercriminals evade law enforcement. Media Land’s services have been utilized by prolific ransomware groups, including Lockbit, BlackSuit, and Play, and were involved in Distributed Denial-of-Service (DDoS) attacks against U.S. critical infrastructure.

In addition to the company itself, OFAC designated key members of Media Land’s leadership:

• Aleksandr Volosovik: General Director who advertised the business on cybercriminal forums.
• Kirill Zatolokin: Employee responsible for collecting payments and coordinating with cyber actors.
• Yulia Pankova: Assisted Volosovik with legal and financial issues.

Three affiliated companies – ML Cloud, Media Land Technology (MLT), and Data Center Kirishi (DC Kirishi) – were also designated as being owned or controlled by Media Land.

The coordinated action also targeted sanctions evasion efforts by Aeza Group, a BPH provider previously designated by OFAC. The new designations include:

• Hypercore Ltd.: A UK-registered front company used by Aeza to move its technical infrastructure.
• Maksim Vladimirovich Makarov: The new director of Aeza, designated for making key decisions to evade sanctions.
• Ilya Vladislavovich Zakirov: Helped establish new companies and payment methods for obfuscation.
• Smart Digital Ideas DOO (Serbian) and Datavice MCHJ (Uzbek): Entities used to set up technical infrastructure not publicly associated with the Aeza brand.

As a result of today’s actions, all property and interests of the designated individuals and entities that are in the U.S. or controlled by U.S. persons are blocked.