Security researchers have uncovered a JavaScript based command and control framework named PeckBirdy that has been actively used since 2023 by China aligned advanced threat groups. The framework has been linked to attacks across multiple environments, targeting Chinese gambling platforms as well as government bodies and private organizations in Asia, according to findings shared by a cybersecurity firm.
Researchers explained that PeckBirdy is built using JScript, an older scripting language, to ensure it can run across many systems using living off the land binaries. “PeckBirdy is a script based framework which, while possessing advanced capabilities, is implemented using JScript, an old script language,” researchers Ted Lee and Joseph C Chen said. “This is to ensure that the framework could be launched across different execution environments via LOLBins (living off the land binaries).” The activity was first noticed in 2023 when malicious scripts were injected into gambling websites to deliver fake Google Chrome update pages and infect user devices. This campaign is tracked as SHADOW VOID 044.
A second intrusion set using PeckBirdy, called SHADOW EARTH 045, was observed from July 2024. It targeted Asian government entities and private organizations, including a Philippine educational institution. In these attacks, malicious PeckBirdy links were injected into government websites, sometimes on login pages, to harvest credentials. In another case, attackers used MSHTA to run PeckBirdy for lateral movement. “These findings demonstrate the versatility of PeckBirdy’s design, which enables it to serve multiple purposes,” the cybersecurity firm noted.
PeckBirdy can operate across web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET ScriptControl. It uses WebSocket communication by default, with fallback options like Adobe Flash ActiveX or Comet. Once connected, the server sends a second stage script, including tools to steal cookies, exploit a Google Chrome V8 flaw CVE 2020 16040 with a CVSS score of 6.5, deploy backdoors via Electron JS, or create reverse shells. Further analysis linked the campaigns to backdoors named HOLODONUT and MKDOOR and suggested possible ties to multiple China aligned threat actors. “Detecting malicious JavaScript frameworks remains a significant challenge,” researchers said, citing their ability to evade traditional security controls.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
