Beyond the Watering Hole: APT24's Pivot to Multi-Vector Attacks

    Friday, November 21, 2025 In: Threat Research Print

    Date: 11/21/2025

    Severity: High

    Summary

    APT24, a PRC-nexus linked threat actor, has been running a long-term cyber-espionage campaign that spans three years and leverages BADAUDIO, a highly obfuscated first-stage downloader used to establish persistent access in victim networks. After previously relying on broad watering-hole compromises, APT24 has shifted to more advanced and targeted attack vectors—particularly against organizations in Taiwan—such as repeatedly compromising a regional digital marketing firm to conduct supply chain attacks and carrying out focused phishing campaigns. Research findings contribute to protecting users by adding identified malicious infrastructure to blocklists and notifying affected organizations so they can remediate and prevent future compromises.

    Indicators of Compromise (IOC) List

    URLs/Domain

    www.availableextens.com

    www.twisinbeth.com

    www.decathlonm.com

    www.gerikinage.com

    www.p9-car.com

    www.growhth.com

    www.brighyt.com

    taiwantradoshows.com

    jsdelivrs.com

    clients.brendns.workers.dev

    www.cundis.com

    wispy.geneva.workers.dev

    www.twisinbeth.com

    tradostw.com

    jarzoda.net

    trcloudflare.com

    roller.johallow.workers.dev

    Hash

    88fa2b5489d178e59d33428ba4088d114025acd1febfa8f7971f29130bda1213

    032c333eab80d58d60228691971d79b2c4cd6b9013bae53374dd986faa0f3f4c

    ae8473a027b0bcc65d1db225848904e54935736ab943edf3590b847cb571f980

    0e98baf6d3b67ca9c994eb5eb9bbd40584be68b0db9ca76f417fb3bcec9cf958

    55e02a81986aa313b663c3049d30ea0158641a451cb8190233c09bef335ef5c7

    07226a716d4c8e012d6fabeffe2545b3abfc0b1b9d2fccfa500d3910e27ca65b

    5c37130523c57a7d8583c1563f56a2e2f21eef5976380fdb3544be62c6ad2de5

    1f31ddd2f598bd193b125a345a709eedc3b5661b0645fc08fa19e93d83ea5459

    c4e910b443b183e6d5d4e865dd8f978fd635cd21c765d988e92a5fd60a4428f5

    2ea075c6cd3c065e541976cdc2ec381a88b748966f960965fdbe72a5ec970d4e

    9ce49c07c6de455d37ac86d0460a8ad2544dc15fb5c2907ed61569b69eefd182

    d23ca261291e4bad67859b5d4ee295a3e1ac995b398ccd4c06d2f96340b4b5f8

    cfade5d162a3d94e4cba1e7696636499756649b571f3285dd79dea1f5311adcd

    f086c65954f911e70261c729be2cdfa2a86e39c939edee23983090198f06503c

    f1e9d57e0433e074c47ee09c5697f93fde7ff50df27317c657f399feac63373a

    176407b1e885496e62e1e761bbbb1686e8c805410e7aec4ee03c95a0c4e9876f

    c7565ed061e5e8b2f8aca67d93b994a74465e6b9b01936ecbf64c09ac6ee38b9

    83fb652af10df4574fa536700fa00ed567637b66f189d0bbdb911bd2634b4f0e

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "www.availableextens.com" or siteurl like "www.availableextens.com" or url like "www.availableextens.com" or domainname like "www.growhth.com" or siteurl like "www.growhth.com" or url like "www.growhth.com" or domainname like "www.cundis.com" or siteurl like "www.cundis.com" or url like "www.cundis.com" or domainname like "wispy.geneva.workers.dev" or siteurl like "wispy.geneva.workers.dev" or url like "wispy.geneva.workers.dev" or domainname like "roller.johallow.workers.dev" or siteurl like "roller.johallow.workers.dev" or url like "roller.johallow.workers.dev"

    Detection Query 2 :

    sha256hash IN ("f086c65954f911e70261c729be2cdfa2a86e39c939edee23983090198f06503c","176407b1e885496e62e1e761bbbb1686e8c805410e7aec4ee03c95a0c4e9876f","c7565ed061e5e8b2f8aca67d93b994a74465e6b9b01936ecbf64c09ac6ee38b9","f1e9d57e0433e074c47ee09c5697f93fde7ff50df27317c657f399feac63373a","9ce49c07c6de455d37ac86d0460a8ad2544dc15fb5c2907ed61569b69eefd182","88fa2b5489d178e59d33428ba4088d114025acd1febfa8f7971f29130bda1213","032c333eab80d58d60228691971d79b2c4cd6b9013bae53374dd986faa0f3f4c","ae8473a027b0bcc65d1db225848904e54935736ab943edf3590b847cb571f980","0e98baf6d3b67ca9c994eb5eb9bbd40584be68b0db9ca76f417fb3bcec9cf958","55e02a81986aa313b663c3049d30ea0158641a451cb8190233c09bef335ef5c7","07226a716d4c8e012d6fabeffe2545b3abfc0b1b9d2fccfa500d3910e27ca65b","5c37130523c57a7d8583c1563f56a2e2f21eef5976380fdb3544be62c6ad2de5","1f31ddd2f598bd193b125a345a709eedc3b5661b0645fc08fa19e93d83ea5459","c4e910b443b183e6d5d4e865dd8f978fd635cd21c765d988e92a5fd60a4428f5","2ea075c6cd3c065e541976cdc2ec381a88b748966f960965fdbe72a5ec970d4e","d23ca261291e4bad67859b5d4ee295a3e1ac995b398ccd4c06d2f96340b4b5f8","cfade5d162a3d94e4cba1e7696636499756649b571f3285dd79dea1f5311adcd","83fb652af10df4574fa536700fa00ed567637b66f189d0bbdb911bd2634b4f0e")

    Reference:

    https://cloud.google.com/blog/topics/threat-intelligence/apt24-pivot-to-multi-vector-attacks/


    Tags

    Threat ActorAPT24PRC-NexusCyber EspionageTaiwanPhishing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.