PeckBirdy Exposes a New Living off the Land Threat

Threat Group China aligned APT operators tracked as SHADOW VOID 044 and SHADOW EARTH 045
Threat Type JScript based command and control framework abusing trusted Windows utilities
Exploited Vulnerabilities Abuse of Windows Script Host trust model, mshta.exe execution, ScriptControl ActiveX usage, browser watering hole injection, legacy Chrome V8 flaws including CVE 2020 16040
Malware Used PeckBirdy framework, HOLODONUT modular backdoor, MKDOOR modular backdoor, NEXLOAD downloader
Threat Score 🔴 9.1/10 High risk
Last Threat Observation 28 January 2026

Overview

PeckBirdy is a highly adaptable JScript based command and control framework attributed to China aligned advanced persistent threat activity. While active since at least 2023, its full technical scope and strategic significance were first comprehensively documented in January 2026. Unlike conventional malware families that rely on compiled executables, PeckBirdy leverages legacy scripting technologies and trusted Windows utilities to achieve stealthy execution, modular payload delivery, and resilient command and control with a minimal forensic footprint.

The framework underpins two distinct but overlapping campaigns. SHADOW VOID 044 focuses on financially motivated operations targeting the Chinese gambling sector, while SHADOW EARTH 045 conducts intelligence driven activity against Asian government organisations, educational institutions, and selected private enterprises. Across both missions, PeckBirdy enables long term access, credential harvesting, lateral movement, and controlled data exfiltration while deliberately evading traditional endpoint detection approaches.

Background and Discovery

PeckBirdy activity was first observed in operational use during 2023 but remained largely undocumented due to its script centric design and reliance on signed Microsoft binaries. The absence of compiled malware artefacts significantly reduced visibility across traditional antivirus and EDR telemetry.

In late January 2026, detailed threat intelligence reporting revealed the framework’s architecture, extensive environment awareness, and modular payload ecosystem. Correlation of infrastructure, tooling reuse, and operational tradecraft led to the tracking of two primary intrusion sets. SHADOW VOID 044 represents the financially motivated arm of the operation, while SHADOW EARTH 045 reflects a dedicated espionage mission profile. Both clusters share core PeckBirdy tooling and exhibit attribution signals consistent with established China aligned APT ecosystems.

Technical Analysis

Delivery Method

Initial access techniques vary depending on campaign objectives. SHADOW VOID 044 relies heavily on watering hole compromises of legitimate Chinese gambling websites. Malicious script tags injected into these sites retrieve PeckBirdy loaders and present visitors with fraudulent browser update prompts designed to closely mimic legitimate Google Chrome update workflows. Users who follow these prompts initiate delivery of the PeckBirdy framework and its secondary payloads.

SHADOW EARTH 045 primarily targets government and enterprise web portals. By injecting PeckBirdy scripts directly into authentication pages, threat actors harvest credentials in real time as users submit login forms. In private sector intrusions, PeckBirdy is also used as a remote access mechanism executed via mshta.exe, allowing attackers to pivot from compromised web infrastructure into internal enterprise networks.

Supporting infrastructure associated with both campaigns has hosted exploitation scripts targeting legacy browser vulnerabilities, including CVE 2020 16040, a high severity use after free flaw in the Chrome V8 JavaScript engine capable of enabling remote code execution.

Payload and Behaviour

PeckBirdy is implemented entirely in JScript conforming to ECMAScript 3 standards. This design ensures compatibility across a broad range of Windows environments, including legacy systems that do not support modern PowerShell features or updated .NET runtimes. Execution is brokered through trusted components such as Windows Script Host, mshta.exe, MSHTML, and the ScriptControl ActiveX interface.

A defining characteristic of PeckBirdy is its environment aware execution logic. Upon launch, the framework inspects the runtime by checking for context specific objects such as window, process, response, WScript, APPLICATION tags, or ScriptControl interfaces. Based on the detected environment, PeckBirdy dynamically retrieves and executes scripts tailored to that context, ensuring operational continuity regardless of host capabilities.

The framework implements robust victim identification logic. When local system access is available, PeckBirdy attempts to retrieve motherboard and storage identifiers and hashes this data using MD5 to generate a persistent victim identifier. If hardware access fails, a randomly generated 32 character identifier is used instead. Persistence of this identifier is achieved through temporary files or browser cookies designed to resemble legitimate analytics artefacts.

Command and control communications default to WebSockets to enable low latency full duplex communication over standard web ports. If WebSockets are unavailable, the framework falls back to long polling HTTP techniques and legacy ActiveX based TCP channels, including Flash remnants present on older systems. All communications are encrypted using AES derived from a session specific attack identifier and encoded for compatibility with text based transport.

Indicators of Compromise IoCs

File names or paths
%TEMP%_unique_id_

Registry keys
Unauthorised Microsoft Defender exclusion entries added via WMIC

Network indicators
Outbound WebSocket or HTTP connections initiated by mshta.exe, wscript.exe, or cscript.exe
HTTP or HTTPS requests containing 32 character hexadecimal identifiers in URI paths
Infrastructure historically associated with IP address 47.238.184.9
Domains impersonating Microsoft services such as mkdmcdn.com

Process behaviour
Browser processes spawning mshta.exe
mshta.exe launching cmd.exe or powershell.exe
ScriptControl executing remotely retrieved JScript

Threat Context

PeckBirdy reflects a mature evolution of living off the land tradecraft, shifting adversary focus from binary payloads to script based frameworks that abuse long trusted operating system components. Its deployment across both financially motivated and espionage driven campaigns highlights the convergence of cybercrime and state sponsored operations.

The framework’s reliance on legacy technologies such as JScript, Flash ActiveX remnants, and Windows Script Host underscores the ongoing risk posed by deprecated but still enabled features within modern enterprise environments. PeckBirdy demonstrates how backwards compatibility continues to provide high value attack surfaces for advanced threat actors.

Risk Assessment

The likelihood of compromise is high in environments where Windows scripting engines, mshta.exe, and legacy browser components remain unrestricted. Impact includes credential theft, session hijacking, internal network access, and persistent covert access achieved with minimal disk artefacts. Government agencies, educational institutions, and organisations operating in or adjacent to the gambling sector face elevated risk, particularly in regions targeted by China aligned intelligence collection.

Detection and Mitigation

Detection Guidance

Monitor for mshta.exe, wscript.exe, or cscript.exe initiating outbound network connections.
Alert on command line usage containing javascript, ActiveXObject, or ScriptControl.
Inspect endpoints for anomalous browser cookies prefixed with Hm_lvt_ in environments where such analytics are unexpected.

Mitigation Strategies

Disable or restrict Windows Script Host and block mshta.exe using WDAC or AppLocker where not operationally required.
Enable Microsoft Attack Surface Reduction rules that block script based execution of downloaded content.
Enforce strong identity controls including hardware backed MFA and immediate credential rotation following suspected exposure.

Sources

Trend Micro − PeckBirdy A Versatile Script Framework for LOLBins Exploitation Used by China Aligned Threat Groups − https://www.trendmicro.com/en/research/26/a/peckbirdy-script-framework.html
The Hacker News − China Linked Hackers Have Used the PeckBirdy JavaScript C2 Framework Since 2023 − https://thehackernews.com/2026/01/china-linked-hackers-have-used.html
SOC Prime − PeckBirdy JScript C2 Abuses LOLBins to Drop Backdoors − https://socprime.com/active-threats/versatile-script-framework-for-lolbins-exploitation/