CYBERSECURITY researchers have identified PeckBirdy, a JavaScript-based command-and-control framework that has been used by China-aligned APT actors since 2023 to target diverse environments, including Chinese gambling sites and Asian government entities and private organisations, according to Trend Micro.
The framework is designed to be script-based while running across multiple execution environments via LOLBins, and it uses a 32-character ATTACK ID to fetch landing scripts from its domain, enabling it to adapt to different contexts. PeckBirdy can operate with WebSocket as its default communication method and can fall back to Adobe Flash ActiveX or Comet, and its capabilities vary across browsers, MSHTA, WScript, Classic ASP, Node JS and .NET (ScriptControl).
One PeckBirdy server tied to the SHADOW-VOID-044 campaign hosts additional scripts, including an exploit for a Google Chrome vulnerability (CVE-2020-16040) patched in December 2020, plus social‑engineering pop-ups and backdoors like HOLODONUT and MKDOOR. Two intrusion sets, SHADOW-VOID-044 and SHADOW-EARTH-045, have been observed injecting PeckBirdy links into government websites to harvest credentials and enable lateral movement, with Trend Micro noting the attackers using PeckBirdy to deliver modular backdoors.
The researchers also highlighted the use of backdoors such as HOLODONUT and WizardNet, and pointed to related activity and artefacts that suggest links to various China-aligned actors.