A previously undocumented script-based command-and-control (C2) framework has been linked to multiple cyber campaigns targeting gambling companies, government bodies and private organizations across Asia.
The framework, dubbed PeckBirdy, has been active since 2023 and has been attributed to China-aligned advanced persistent threat (APT) groups based on observed infrastructure and tactics.
PeckBirdy is built using JScript, an older scripting language that allows it to operate across a wide range of execution environments.
This design enables attackers to deploy the framework using living-off-the-land binaries (LOLBins), adapting it for different stages of an attack. Researchers observed it functioning as a watering-hole controller, a reverse shell and a C2 server, depending on context.
Two Separate Campaigns
Two campaigns using PeckBirdy have been identified by Trend Micro and tracked as SHADOW-VOID-044 and SHADOW-EARTH-045.
The first focused largely on Chinese gambling websites, where malicious scripts were injected to deliver fake Google Chrome update prompts. Victims who downloaded the updates unknowingly installed attacker-controlled backdoors.
The second campaign, observed in July 2024, targeted Asian government entities and private organizations. In these cases, PeckBirdy links were embedded into compromised government websites or executed via MSHTA to enable credential harvesting and lateral movement.
Read more on malicious JavaScript frameworks: Threat Actors Shift to JavaScript-Based Phishing Attacks
Modular Backdoors Extend Capabilities
PeckBirdy’s core functionality is supplemented by at least two modular backdoors, HOLODONUT and MKDOOR, both linked to SHADOW-VOID-044. These tools allow attackers to extend functionality after initial compromise.
Key capabilities observed include:
-
Delivery of additional payloads via modular plugins
-
In-memory execution to reduce forensic visibility
-
Use of social engineering and browser exploits to gain access
HOLODONUT is a .NET-based backdoor that disables security features such as AMSI before executing payloads in memory. MKDOOR, by contrast, disguises its network traffic as legitimate Microsoft support or activation pages and attempts to evade Microsoft Defender by altering exclusion settings.
Infrastructure overlaps and shared tooling suggest SHADOW-VOID-044 is linked with UNC3569, a China-aligned group previously associated with the GRAYRABBIT backdoor.
Some samples also used stolen code-signing certificates to legitimize malicious Cobalt Strike payloads. SHADOW-EARTH-045 showed weaker but notable ties to activity previously attributed to Earth Baxia.
“Detecting malicious JavaScript frameworks remains a significant challenge due to their use of dynamically generated, runtime-injected code and the absence of persistent file artifacts, enabling them to evade traditional endpoint security controls,” Trend Micro wrote.
“In this environment, adaptability and continuous refinement of defensive strategies are no longer optional, but fundamental to maintaining operational integrity in an increasingly hostile digital landscape.”
