CHINESE APTs are operating across Asia with the PeckBirdy C2 framework, deploying it on Chinese gambling sites to deliver modular backdoors such as Holodonut and MKDoor and to load additional PeckBirdy scripts for reverse shells and Chrome browser exploits (CVE-2020-16040).
Trend Micro has linked two campaigns using PeckBirdy to threat actors it tracks as Shadow-Void-044 and Shadow-Earth-045, with the latter associated tentatively with Earth Baxia and targeting both private organisations and government-affiliated targets across Asia. A second campaign, active since at least July 2024, is described as more diverse in methods and targeting, again involving PeckBirdy and linking to a group called TheWizards via a stolen certificate in one backdoor.
The analysts note that PeckBirdy’s use of old scripting language (JScript) and living-off-the-land binaries lets it adapt to different environments, whether running in a browser, NodeJS, WScript, or classic ASP. Trend Micro emphasises that the boundary between cybercrime and cyberespionage is blurred, with the same tool being used across infection of casual visitors on gambling sites and government employees at their desks.