PeckBirdy is a JScript-based command-and-control (C&C) framework identified by Trend Micro, utilized by China-aligned APT groups since 2023. This versatile tool exploits Living off the Land Binaries (LOLBins) to operate across diverse execution environments, including browsers, MSHTA, WScript, and Node JS. It has been primarily observed in campaigns targeting the Chinese gambling industry and various Asian government institutions, serving as a remote access channel during multiple stages of the attack lifecycle.
The framework is often deployed via watering-hole attacks and social engineering to deliver advanced modular backdoors such as HOLODONUT and MKDOOR. Detailed analysis links these activities to known threat actors like UNC3569 (GrayRabbit), Earth Lusca, and Earth Baxia. These groups utilize sophisticated techniques, including stolen code-signing certificates and the exploitation of vulnerabilities like CVE-2020-16040, to maintain persistence and conduct unauthorized credential harvesting.
Top comments (0)