Insider threats are often considered the most dangerous risk in cybersecurity. Employees and contractors already have legitimate access, and when that trust is abused, the damage can be immediate. But what happens when an external adversary learns to mimic insider behavior so effectively that they appear to be operating from within? That is exactly what we see in the latest campaign from APT24, also known as Pitty Tiger, a China nexus espionage group.
Who is APT24?
APT24 has been active since at least 2008, with early campaigns relying on spear phishing and Office document exploits. Their mission has consistently focused on intellectual property theft and geopolitical intelligence gathering. Over the years, they have targeted government agencies, healthcare providers, telecom firms, construction companies, and non-profits across Asia and the United States.
The BADAUDIO Campaign
Between late 2022 and September 2025, researchers uncovered a sprawling operation centered on a custom malware family called BADAUDIO.
- Malware design: Written in C++, using DLL search order hijacking and AES encrypted payloads.
- Stealth: Collected system information and communicated with command and control servers using cookie based beaconing.
- Persistence: Delivered payloads like Cobalt Strike beacons for long term access and lateral movement.
This malware was not dropped randomly. It was deployed through watering hole attacks, spear phishing emails, and most notably, repeated compromises of a Taiwanese digital marketing firm that serviced more than 1,000 domains. By injecting malicious code into trusted JavaScript libraries and JSON files, APT24 infiltrated organizations through the very supply chains they relied on daily.
Mimicking Insider Access
What makes APT24’s campaign feel so much like an insider threat is the way they exploited trust. Instead of brute forcing their way into networks, they compromised a vendor that already had legitimate relationships with target organizations. From the victim’s perspective, the malicious traffic looked like it was coming from a trusted partner. In effect, APT24 turned a third party supplier into a proxy insider.
This tactic blurred the line between external intrusion and insider misuse. The attackers did not need to recruit employees. By embedding themselves into trusted workflows, they achieved insider like visibility and persistence.
Strategic Impact
APT24’s campaign focused heavily on Taiwan’s government, healthcare, and telecom sectors, while also hitting U.S. construction and non profit organizations. The goals were clear: intellectual property theft and geopolitical intelligence. Yet the way they achieved those goals is what makes this case so relevant to insider threat discussions. By compromising the same vendor multiple times, APT24 demonstrated persistence and adaptability that mirrors the access patterns of insiders who know the environment well.
Lessons for Security Leaders
- Insider threats are not limited to employees. External adversaries can simulate insider behavior by exploiting supply chains, abusing cloud services, or embedding themselves in identity systems.
- Vendor ecosystems are high-risk. APT24’s repeated compromise of a marketing firm shows how third party providers can become proxy insiders.
- Detection must evolve. Traditional perimeter defenses are not enough. Insider threat programs should expand to include external actors who operate with insider like precision.
Conclusion
APT24’s campaign is a reminder that the line between insider and outsider is blurring. When attackers compromise vendors or inject themselves into trusted workflows, they effectively become insiders in all but name. Organizations that fail to recognize this risk will continue to be blindsided by adversaries who do not need to recruit employees to act like them.
Sources
- Recorded Future, APT24 (Pitty Tiger) campaign analysis, November 2025
https://www.recordedfuture.com
Leave a Reply