CHINA-ALIGNED threat actors are using a cross-platform, multifunction JScript framework dubbed PeckBirdy to conduct cyber-espionage across gambling sites and government entities, according to Trend Micro threat researchers Ted Lee and Joseph C. Chen in a blog post this week. Trend Micro has tracked PeckBirdy since 2023, with two campaigns identified: Shadow-Void-044 and Shadow-Earth-045, targeting different environments and employing modular backdoors named MKDoor and HoloDonut to bolster PeckBirdy’s functionality.
In the Shadow-Void campaign, which began in 2023, attackers targeted Chinese gambling websites by delivering and executing JScript code via malicious scripts and links to remote servers, using backdoors to display fake software update pages and entice downloads.
The Shadow-Earth campaign, uncovered in July 2024, targeted Asian government entities by injecting PeckBirdy links into government sites to deliver scripts for credential harvesting, and involved using MSHTA to execute PeckBirdy as a remote access channel for lateral movement; one July 2024 incident targeted a Philippine educational institution and downloaded files from an IP address linked to Earth Baxia, though evidence of that group's involvement remains weak.
The researchers note PeckBirdy’s use of living-off-the-land binaries to run across environments and its ability to deploy via multiple vectors, underscoring the need for continuous monitoring and intelligence-driven defence.