PeckBirdy is a sophisticated, script-based command-and-control (C2) framework implemented in JScript, designed for flexibility and stealth by leveraging living-off-the-land binaries (LOLBins) such as MSHTA, WScript, and Classic ASP. Discovered by Trend Micro in 2023, it has been used by China-aligned advanced persistent threat (APT) actors in campaigns dubbed SHADOW-VOID-044 and SHADOW-EARTH-045. The framework targets multiple environments, including web browsers, Node.js, and .NET environments, allowing it to execute malicious payloads dynamically without leaving persistent files, complicating detection. PeckBirdy supports multiple communication protocols, primarily WebSocket, with fallbacks like Adobe Flash ActiveX and Comet, enabling robust C2 communications. It uses unique attack and victim IDs to manage sessions and deliver second-stage scripts capable of stealing cookies, delivering backdoors, and establishing reverse shells. Notably, the framework has been used to inject malicious scripts into Chinese gambling websites and Asian government portals, including a Philippine educational institution, to harvest credentials and facilitate lateral movement. The attackers employ social engineering tactics such as fake Google Chrome update pages to trick victims into executing malware. The infrastructure analysis revealed modular backdoors HOLODONUT (.NET-based) and MKDOOR, capable of loading and unloading plugins remotely, enhancing operational flexibility. The presence of other malware artifacts and infrastructure overlaps with known Chinese APT groups (e.g., UNC3569, Earth Lusca, APT41) supports attribution to state-sponsored actors. The use of a 2020 Chrome V8 engine exploit (CVE-2020-16040) and Cobalt Strike tools further demonstrates the advanced capabilities of these campaigns. The dynamic nature of PeckBirdy, combined with its use of legitimate system tools and runtime code injection, poses significant detection challenges for traditional endpoint security solutions.

For European organizations, the PeckBirdy framework represents a significant threat, particularly for entities with business or governmental ties to Asia or those operating in sectors targeted by the campaigns, such as gambling, education, and government services. The framework's ability to evade detection by abusing legitimate system binaries and dynamically injecting code increases the risk of prolonged undetected intrusions, leading to credential theft, unauthorized access, data exfiltration, and lateral movement within networks. The modular backdoors HOLODONUT and MKDOOR enable attackers to customize payloads and maintain persistent access, potentially compromising sensitive information and critical infrastructure. The use of social engineering to deliver malware increases the likelihood of successful initial compromise. European organizations relying on web technologies, especially those hosting public-facing web portals or using Node.js and .NET environments, are at heightened risk. Additionally, the exploitation of known vulnerabilities, even if patched, suggests that unpatched systems remain vulnerable. The stealthy nature of the threat complicates incident response and remediation efforts, potentially leading to operational disruptions and reputational damage.

European organizations should implement multi-layered defenses tailored to detect and mitigate living-off-the-land (LOLBin) abuse and script-based attacks. Specific recommendations include: 1) Deploy advanced endpoint detection and response (EDR) solutions capable of monitoring script execution, especially JScript and MSHTA activities, and flagging anomalous use of LOLBins. 2) Implement strict application whitelisting and execution policies to restrict unauthorized script execution and the use of system binaries for non-standard purposes. 3) Conduct regular patching of all software, prioritizing browsers (e.g., Google Chrome), runtime engines (e.g., V8), and server-side platforms (Node.js, .NET) to close known vulnerabilities like CVE-2020-16040. 4) Enhance network monitoring to detect unusual WebSocket, HTTP(S), and fallback communication patterns indicative of C2 traffic, including connections to suspicious domains or IPs linked to known campaigns. 5) Employ web application firewalls (WAFs) and content security policies (CSP) to prevent script injection attacks on public-facing websites. 6) Train users to recognize social engineering attempts, such as fake software update prompts, and establish strict policies for software updates through official channels only. 7) Conduct threat hunting exercises focused on identifying indicators of compromise related to PeckBirdy, HOLODONUT, and MKDOOR, including unusual process spawning and network connections. 8) Segment networks to limit lateral movement opportunities and implement strong credential management practices, including multi-factor authentication (MFA). 9) Collaborate with threat intelligence providers to stay updated on emerging indicators and tactics related to these campaigns. 10) Review and harden server configurations to prevent unauthorized script injections, especially on government and educational institution portals.