PeckBirdy the JScript frame that operates on browsers and opens doors without a trace

Security researchers have identified a command and control framework based on JScript which is being exploited by actors aligned with China since 2023. The central part of this campaign is a set of scripts known as PeckBirdy, a light but versatile platform that takes advantage of old scripting technologies to open remote channels without leaving a persistent trace on disk.

The striking thing about PeckBirdy is not so much its cryptic sophistication, but its adaptability: can be run on web browsers, through MSHTA, WScript, Classic ASP, Node.js and even from .NET via ScriptControl. This multiplatform capacity allows you to integrate with what is known as "living-off-the-land binaries," a tactic that greatly complicates traditional detection. Trend Micro published a detailed analysis explaining the functioning and evolution of this threat, and it is a recommended reading for anyone who wants to deepen: Trend Micro report on PeckBirdy.

The delivery mechanism observed in one of the first waves was the injection of scripts into Chinese betting websites. These scripts act as remote chargers: they consult a control server with a campaign-associated identifier (a 32-character ATTACK ID) and from there they download the following link, which can vary according to the running environment. A different recipient receives a "landing script" adapted to its context, which allows both credentials theft operations and the installation of more complex backdoors.

Communication with the server is usually based on WebSockets, but PeckBird has alternatives: it uses ActiveX objects (e.g. Adobe Flash in old scenarios) or Comet techniques when WebSocket is not available. After initialization, the script generates a unique identifier for the victim, persists and uses it in subsequent communications, facilitating remote management of multiple targets from the command and control infrastructure.

Among the artifacts found on servers associated with the campaign, researchers found from profits to steal cookies to scripts that attempt to exploit vulnerabilities in browser engines. In particular, an explosion appeared aimed at a failure in Google Chrome's V8 engine (referred to as CVE-2020-16040), which had been patched in 2020. They also detected social engineering pop-ups that simulate legitimate Chrome updates to induce the user to download malicious executables.

The offensive infrastructure also resulted in two modular back doors that the attackers use to maintain access: HOLODONAT, a .NET backdoor that is deployed through a download called NEXLOAD and that supports plugins; and MKDOOR, another modular backdoor with the capacity to load, execute or remove modules. These tools allow the operation to evolve from the initial intrusion to continued espionage or lateral movements within compromised networks.

Trend Micro has identified at least two temporary intrusion sets using PeckBirdy. One, traced as SHADOW-VOID-044, has mainly affected betting sites in China and has served as a vector for distributing payloads and exploits. The other, called SHADOW-EARTH-045, observed since July 2024, has targeted government institutions and private organizations in Asia, including an educational entity in the Philippines, where malicious links were injected on login pages to capture credentials.

Analysts do not attribute a single organization behind everything, but they see clues that point to the participation of different groups but with similar support or tactics. Among these signs is the presence of the back door GRAYRABBIT on servers linked to SHADOW-VOID-044 ( GRAYRABBIT analysis), coincidences in certificates used to sign technical charges and similarities with past campaigns attributed to actors such as Earth Lusca or APT41. These connections are not conclusive on their own, but help to build a picture of actors who share infrastructure and methods.

From the point of view of the defence, PeckBirdy exemplifies two recurring problems: On the one hand, the abuse of legitimate binaries of the system to execute malicious code complicates signature and detection in endpoints; on the other, dynamic scripts injected into memory or served in real time do not leave artifacts easy to analyze with traditional solutions. Detecting and mitigating such threats requires combining controls at various levels: web application hardening, endpoints performance monitoring and network traffic analysis, including anomalous WebSocket connections.

To reduce the attack surface, it is appropriate to keep up-to-date JavaScript browsers and engines, review and restrict the use of tools such as MSHTA and WScript in environments where they are not needed, and apply content policies (CSP) and Subresource Integrity (SRI) in sites that serve public content. It is also useful to regularly audit critical pages for injections and have safe delivery solutions that can detect unexpected changes in web resources. Resources such as the LOLBAS project offer a guide on system binaries that are often abused and can serve to prioritize controls: LOLBAS. To understand how attackers exploit legitimate binaries from the perspective of techniques and tactics, the MITRE ATT & CK matrix is a practical reference: T1218 - Living off the land binaries and T1505.003 - Web Shell.

Early detection can also be based on network signals: WebSocket sessions to unusual domains, downloads of scripts from third-party resources or responses that deliver ofuscated JavaScript code should fire alerts. In corporate environments, network segmentation and monitoring of processes that start outgoing connections from web servers can stop the abuse of legitimate infrastructure for lateral movement.

PeckBirdy does not introduce a new technique in a strict sense, but does show how enemies with resources combine old and reliable tools, dynamic scripts and a flexible infrastructure to operate with sigyl. This recalls that safety is not only to provide for isolated vulnerabilities, but to design layers that compensate for the ability of the attackers to adapt their loads to the running environment.

If you manage a corporate web or manage critical systems, review the integrity controls of web resources, limit the binary with the ability to interpret scripts and strengthen network telemetry are practical measures that greatly reduce the risk of similar commitments. For those who want to deepen the technical description and the samples analyzed, the Trend Micro report provides detailed information and detection techniques: full report on PeckBirdy.

Ultimately, these campaigns serve as a reminder that attackers take advantage of the heterogeneity of environments and technologies: the most effective defenses will be those that unite good practices in web development, patch management, network visibility and clean policies in the use of system tools.