China-Linked APT24 Deploys BadAudio Malware in Expansive Multi-Year Espionage Campaign
Researchers have uncovered that APT24, a long-running PRC-nexus espionage group, has been deploying a previously undocumented downloader called BadAudio as part of a three-year campaign targeting government, technology, and regional organizations. Since 2022, the group has delivered BadAudio through strategic web compromises, phishing operations, and repeated supply chain intrusions, including multiple compromises of a digital marketing vendor in Taiwan whose JavaScript libraries supported more than 1,000 customer domains. The actor used injected JavaScript and advanced fingerprinting to filter for Windows users and selectively present fake browser update pop-ups that delivered the malware. BadAudio itself employs control flow flattening, DLL search order hijacking, and in-memory execution to evade detection, forwarding AES-encrypted system data to hard-coded command servers before retrieving a second-stage payload. In several cases, this payload has been confirmed as Cobalt Strike Beacon, supporting credential theft, system reconnaissance, and persistent access. The group’s supply chain compromises involved modified JavaScript and JSON files that dynamically loaded dependencies, embedded reconnaissance data in POST requests, and staged follow-on payloads only after C2 validation. Parallel phishing activity relied on lures impersonating animal rescue organizations and cloud-hosted archives containing encrypted malware, allowing the actor to blend into trusted delivery channels. Google’s analysis shows that many BadAudio samples remained undetected by most antivirus engines for years, highlighting the depth of obfuscation and the actor’s ability to maintain a stable infrastructure. GTIG has added all identified websites, domains, and binaries to the Safe Browsing blocklist and notified affected organizations to prevent further compromise. The sustained campaign signals ongoing operational maturity within APT24 and reinforces the need for defenders to monitor third-party scripts, browser fingerprinting behavior, and DLL sideloading activity as part of broader detection strategies.
Tsundere Botnet Expands Into a Multi Platform Threat Leveraging Node.js and Blockchain Based C2
Researchers have identified a major evolution of the Tsundere botnet, a Node.js based malware family tied to a Russian-speaking actor known as koneko, who previously distributed hundreds of malicious npm packages through typosquatting campaigns. After abandoning npm distribution in late 2024, the actor reemerged in 2025 with a redesigned botnet that infects Windows, Linux, and macOS systems through MSI installers, PowerShell-based droppers, RMM tools, and fake game installers imitating popular first-person shooters. Once executed, the bot installs a full Node.js runtime in AppData, decrypts its components with AES-256-CBC, and automatically installs the ws, ethers, and pm2 packages to support WebSocket communication, blockchain interaction, and persistence. The bot retrieves its active C2 address from an Ethereum smart contract controlled by the actor, enabling fast C2 rotation without redeploying infrastructure and preventing defenders from relying on static indicators. The C2 channel operates over WebSockets, exchanging AES-encrypted messages that allow operators to deploy arbitrary JavaScript code directly to infected devices. The open registration control panel behind Tsundere provides bot building, MSI and PowerShell implant generation, a marketplace for selling custom builds, SOCKS proxy access, and a Monero wallet system, supporting a criminal service model that has kept the botnet active, with more than 100 connected hosts at a time. This infrastructure overlaps with the 123 Stealer panel, strengthening attribution to Koneko and showing a trend toward consolidated, Node.js-based malware tooling. The campaign’s cross-platform payloads, dynamic C2 retrieval, and persistent Node.js abuse highlight a growing shift toward decentralized command structures and modular infection chains that complicate network-based detection.
Sturnus Android Banking Trojan Emerges With Full Device Takeover and Encrypted Messaging Bypass
MTI Security researchers have identified Sturnus, a privately operated Android banking trojan under active development and already equipped with a broad, highly intrusive feature set. The malware combines credential theft via HTML overlays, accessibility-based keylogging, full-screen blocking, and remote control capabilities to enable complete compromise of an infected device. Its most concerning capability is the ability to bypass secure messaging by capturing decrypted message content directly from the device screen, allowing operators to view conversations across WhatsApp, Telegram, and Signal in real time. Analysis of early samples shows targeting focused on Southern and Central Europe, suggesting the operators are tuning overlays and behavior against specific regional banking apps ahead of wider deployment. The malware’s communication stack reveals a mature design, anchored in a hybrid command system that uses HTTP and WebSocket channels, with layered RSA and AES encryption. Once installed, Sturnus establishes a persistent, encrypted session with its controller, maintains privileged device administrator access, and deploys continuous environment monitoring to detect removal attempts and analysis conditions. Its remote access tooling supports both full visual streaming and a secondary text-based control channel that reconstructs the entire UI tree for precise interaction, even when screen capture is blocked. Combined with defenses that prevent uninstallation and mechanisms that allow covert transaction execution while the screen is blacked out, Sturnus demonstrates operational tradecraft that places it ahead of many established Android banking malware families and signals preparation for a more coordinated campaign once testing concludes.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
