PECKBIRDY is a lightweight, script-based command-and-control framework built entirely on JScript that operates via the Windows Script Host to run commands without dropping heavy files that might trigger antivirus software. According to Trend Micro, PeckBirdy has been used by China-aligned APT actors since 2023 and is designed to execute across multiple environments for flexible deployment.
The framework rarely works alone, with two modular backdoors, HOLODONUT and MKDOOR, extending its reach and enabling persistent access and data exfiltration. Trend Micro’s investigation links PeckBirdy to campaigns SHADOW-VOID-044, which used stolen code-signing certificates and Cobalt Strike payloads, and SHADOW-EARTH-045, which in July 2024 hit a Philippine educational institution via an MSHTA command to launch PeckBirdy on a compromised IIS server.
A tentative link to Earth Lusca and Earth Baxia has been noted, including an IP address previously associated with Earth Baxia operations (47.238.184[.]9).