In 2023, cybersecurity experts identified a JScript-based command-and-control framework named PeckBirdy, linked to China-aligned APT actors, which targets various sectors including the gambling industry and government entities in Asia. According to Trend Micro, this framework has been utilized in attacks against both private organizations and government websites, leading to the development of two operational clusters, tracked as SHADOW-VOID-044 and SHADOW-EARTH-045.
The SHADOW-VOID-044 campaign, notable for injecting malicious scripts into Chinese gambling websites, aims to trick users into downloading fake software updates for Google Chrome, thereby deploying malware. Conversely, SHADOW-EARTH-045, first noted in July 2024, specifically targets a Philippine educational institution and other government entities by embedding PeckBirdy links into their websites, likely for credential harvesting.
Researchers Ted Lee and Joseph C Chen emphasized the framework’s adaptability, which allows it to function across various environments such as web browsers and .NET. The attackers have also created a .NET executable to enhance the deployment of PeckBirdy, showcasing its capability to serve multiple malicious purposes.