Cybersecurity researchers have uncovered a flexible command-and-control (C&C) framework, dubbed ‘PeckBirdy,’ that has been used by China-aligned state-backed threat actors since at least 2023 to compromise a range of environments.
PeckBirdy is JScript-based, which allows it to run across different environments using legitimate system tools, or so-called living-off-the-land binaries (LOLBins). According to Trend Micro researchers, thanks to this, the framework can be executed in various environments, including web browsers, MSHTA, WScript, Classic ASP, Node.js, and even .NET environments via ScriptControl.
Trend Micro first discovered PeckBirdy in 2023 after observing malicious script injections on Chinese gambling websites. The scripts were used to deliver payloads that redirected users to fake Google Chrome update pages, tricking them into installing malware. This activity is tracked as SHADOW-VOID-044.
A second campaign, SHADOW-EARTH-045, observed in July 2024, targeted Asian government websites and private organizations, including a Philippine educational institution, with injected scripts likely aimed at credential harvesting.
Once executed, PeckBirdy identifies its runtime environment, generates a persistent victim ID, and establishes communication with its server (mainly via WebSockets).
“If WebSocket is not supported, it attempts to detect the presence of Adobe Flash, after which it will create a Flash ActiveX object to establish TCP socket communication (for compatibility in older environments, despite Flash itself being discontinued in 2020),” the researchers explain.
The server then delivers second-stage scripts, some capable of stealing cookies or deploying additional malware. Researchers also identified supporting infrastructure hosting exploit code, social engineering scripts, and backdoors such as HOLODONUT and MKDOOR, both modular tools designed to load and manage malicious plugins.
Trend Micro has also discovered additional script files hosted on one of PeckBirdy’s server linked to SHADOW-VOID-044, including an exploitation script for a Google Chrome flaw (CVE-2020-16040); scripts for social engineering pop-ups designed to deceive victims into downloading and executing malicious files; scripts for delivering additional backdoors that are executed via Electron JS, and scripts to establish reverse shells via TCP sockets.
Based on some artifacts, Trend Micro believes that the SHADOW-VOID-044 and SHADOW-EARTH-045 campaigns could be linked to different China-aligned APT actors. In the SHADOW-VOID-044 incident, the researchers observed the modified GRAYRABBIT backdoor previously associated with the UNC3569 cluster. They also found the HOLODONUT backdoor, likely linked to another backdoor called ‘WizardNet,’ previously reported being used by TheWizard APT group.
In case of SHADOW-EARTH-045, the IP address, from which the files were downloaded, was previously linked to the Earth Baxia group, although researchers note that “the attribution linking SHADOW-EARTH-045 to Earth Baxia remains low confidence for now.”