SHADOW-EARTH-045

SHADOW-EARTH-045 is a temporary intrusion set label used by Trend Micro for a PeckBirdy (aka PickBirdy) JScript-based command-and-control framework campaign first observed in July 2024. The activity is assessed as likely China-aligned, but specific attribution is uncertain; Trend Micro notes only a low-confidence link to the actor it tracks as Earth Baxia based on infrastructure overlap (including downloads from 47.238.184.9, described as previously linked to Earth Baxia, and mention of shared PeckBirdy domain/IP in reporting on attacks against an African government IT organization). Operations attributed to SHADOW-EARTH-045 targeted Asian government entities and private organizations, including a Philippine educational institution (observed July 2024). Tactics described include website injection/watering-hole style delivery: injecting PeckBirdy links into government websites (including at least one government system login page) to deliver scripts assessed as credential-harvesting. Execution and access methods include living-off-the-land and script-host abuse: use of MSHTA to retrieve content from github.githubassets.net to launch PeckBirdy, and use of a custom .NET executable leveraging the legacy ScriptControl component to trigger PeckBirdy in another case. PeckBirdy’s design (dynamically generated/runtime-injected JavaScript with limited file artifacts) is highlighted as complicating detection. Associated tooling/capabilities mentioned in the reporting include use of PeckBirdy as a remote access channel for lateral movement, and delivery/association with modular backdoors including MKDOOR and HOLODONUT; the content also states SHADOW-EARTH-045 used GRAYRABBIT and HOLODONUT in the broader PeckBirdy activity context, with HOLODONUT assessed as likely linked to WizardNet used by an APT referred to as TheWizard.