PeckBirdy is a sophisticated JScript-based C&C framework used by China-aligned APT groups to exploit LOLBins across multiple environments, delivering advanced backdoors to target gambling industries and Asian government entities.

Trend Micro Blog offers insights, analysis, and updates on cybersecurity threats, trends, and best practices. Covering topics such as malware analysis, threat intelligence, and cybersecurity risk management, Trend Micro Blog provides resources for IT security professionals, helping them stay ahead of emerging threats and protect their organizations from cyber attacks.

Trend Micro

PeckBirdy is a JScript-based command-and-control framework used by China-aligned APT groups since 2023 to exploit living-off-the-land binaries across multiple execution environments. The framework supports various communication protocols and can operate in browsers, MSHTA, WScript, ASP, Node.js, and .NET environments. Two campaigns, SHADOW-VOID-044 and SHADOW-EARTH-045, have been identified using PeckBirdy to target Chinese gambling industries and Asian government entities through watering-hole attacks, fake software updates, and credential harvesting. The framework delivers modular backdoors including HOLODONUT and MKDOOR, with connections to known threat actors UNC3569, TheWizard, Earth Lusca, and Earth Baxia.

PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups