Trend Micro researchers have identified "PeckBirdy," a sophisticated JScript-based command-and-control (C&C) framework utilized by China-aligned threat actors since at least 2023. The framework is designed for high flexibility, allowing it to execute across various environments—including browsers, MSHTA, and WScript—by exploiting Living off the Land Binaries (LOLBins). It has primarily been observed in campaigns targeting the gambling industry and government entities across Asia, often delivered through watering-hole attacks and fake software updates.
The framework is highly modular, frequently deploying advanced backdoors such as HOLODONUT and MKDOOR to maintain persistence and expand capabilities. These tools leverage techniques like AMSI bypass, ETW disabling, and DLL sideloading to evade detection. Coordinated activity has been linked to several known APT groups, including UNC3569 and Earth Lusca, highlighting a collaborative or shared toolset ecosystem among China-linked adversaries to maintain long-term access to strategic targets.
Top comments (0)