PeckBirdy

PeckBirdy is a JScript-based command-and-control framework observed since 2023 in campaigns linked to China-aligned threat actors. It is designed for flexible deployment across multiple execution environments, including browsers, MSHTA, WScript, Classic ASP, Node.js, and .NET ScriptControl, and abuses living-off-the-land binaries to operate in diverse contexts. The framework performs environment detection to adapt behavior, generates victim identifiers, and communicates primarily over WebSocket, with fallbacks including Flash ActiveX TCP sockets and HTTP/AJAX-based Comet or LocalComet. Reported communications are AES-encrypted and Base64-encoded, using a predefined 32-character ATTACK_ID as the key.

PeckBirdy has been associated with two tracked campaigns: SHADOW-VOID-044 and SHADOW-EARTH-045. SHADOW-VOID-044, active since 2023, targeted Chinese gambling websites and the broader Chinese gambling industry through script injection and fake Google Chrome update lures that delivered malware. Infrastructure tied to this activity also hosted second-stage content including social-engineering pop-ups, reverse shell functionality, Electron-delivered backdoors, and a script exploiting Google Chrome vulnerability CVE-2020-16040. SHADOW-EARTH-045, observed from July 2024, targeted Asian government entities and private organizations, including a Philippine educational institution, and used injected website content for likely credential harvesting. In one reported case, attackers used MSHTA to launch PeckBirdy on a compromised IIS server; the activity also involved compromised GitHub infrastructure.

The framework has been used to deliver modular backdoors including HOLODONUT and MKDOOR. HOLODONUT is described as a .NET modular backdoor delivered via NEXLOAD, with AMSI/ETW evasion and Donut-based in-memory execution. MKDOOR is described as a modular or two-module backdoor system whose downloader adds Microsoft Defender exclusions and disguises traffic as legitimate Microsoft support or activation traffic. Additional malware and tooling observed in related infrastructure include GRAYRABBIT and Cobalt Strike.

Attribution in the reporting links PeckBirdy activity to multiple China-aligned clusters with varying confidence. SHADOW-VOID-044 was assessed with moderate-to-high confidence as linked to UNC3569 based on shared C2 infrastructure, overlapping victimology, and GRAYRABBIT usage. Reporting also noted HOLODONUT infrastructure overlap with activity associated with TheWizard, and low-confidence links between SHADOW-EARTH-045 and Earth Baxia. Reported targets include the gambling industry, Asian government entities, private organizations, and a Philippine educational institution. Detection is described as difficult because PeckBirdy relies on dynamically generated, runtime-injected JavaScript and often leaves limited persistent file artifacts.