Since 2023, a dangerous malware framework called PeckBirdy has emerged as a primary weapon used by Chinese-aligned hacking groups.
This JavaScript-based tool serves as a command-and-control platform designed to work across multiple system environments, giving attackers remarkable flexibility in how they deploy their attacks.
The framework targets victims in the gambling industry and government organizations throughout Asia, representing a significant evolution in how modern attack groups operate.
PeckBirdy operates by injecting malicious code into websites that victims visit regularly. When users land on compromised pages, hidden scripts download and activate the PeckBirdy framework silently in the background.
The malware then tricks victims into thinking their web browser needs an urgent update, displaying convincing fake Google Chrome update pages.
Unsuspecting users download what appears to be a legitimate software patch but is actually a sophisticated backdoor program designed to give attackers full control of their systems.
.webp "China-Aligned APTs Use PeckBirdy C&C Framework in Multi-Vector Attacks, Exploiting Stolen Certificates 3")
The attacks unfold across two distinct campaigns tracked as SHADOW-VOID-044 and SHADOW-EARTH-045.
Trend Micro analysts identified the malware after discovering evidence of its deployment on compromised Chinese gambling websites in 2023, which led researchers to uncover the full scope of the framework’s capabilities and track its operational infrastructure across multiple attack phases.
Infection Mechanism and Persistence Strategy
The technical sophistication of PeckBirdy lies in how it blends older, outdated scripting languages with modern attack techniques.
.webp "China-Aligned APTs Use PeckBirdy C&C Framework in Multi-Vector Attacks, Exploiting Stolen Certificates 4")
Developers built the framework using JScript, an ancient Microsoft scripting language, specifically because it allows the code to run on virtually every Windows system without raising suspicion.
This choice demonstrates how attackers deliberately select old technologies to bypass modern security tools that focus on detecting newer threats.
.webp "China-Aligned APTs Use PeckBirdy C&C Framework in Multi-Vector Attacks, Exploiting Stolen Certificates 5")
Once installed, PeckBirdy creates a unique identifier for each infected computer by extracting hardware information from the victim’s motherboard and hard drive, then converting this data into an encrypted identifier.
The malware preserves this ID in a hidden file on the system, allowing the attackers to recognize the same victim during future infections.
To maintain persistent access, PeckBirdy communicates with command servers using an encrypted protocol, constantly checking for new instructions while remaining invisible to security software monitoring for suspicious network traffic.
.webp "China-Aligned APTs Use PeckBirdy C&C Framework in Multi-Vector Attacks, Exploiting Stolen Certificates 6")
What makes this framework particularly dangerous is that it delivers secondary backdoors like HOLODONUT and MKDOOR, which expand the attackers’ capabilities beyond initial access.
These modules can execute arbitrary commands, steal credentials, and establish reverse shell connections that provide attackers with complete remote access to compromised networks.
Organizations should implement robust network monitoring and educate employees about social engineering tactics to defend against these persistent threats.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
