Cybersecurity

Cyber: China-linked Hackers Have Used The Peckbirdy Javascript C2...

2026-01-27 0 views admin
Cyber: China-linked Hackers Have Used The Peckbirdy Javascript C2...

Cybersecurity researchers have discovered a JScript-based command-and-control (C2) framework called PeckBirdy that has been put to use by China-aligned APT actors since 2023 to target multiple environments.

The flexible framework has been put to use against Chinese gambling industries and malicious activities targeting Asian government entities and private organizations, according to Trend Micro.

"PeckBirdy is a script-based framework which, while possessing advanced capabilities, is implemented using JScript, an old script language," researchers Ted Lee and Joseph C Chen said. "This is to ensure that the framework could be launched across different execution environments via LOLBins (living-off-the-land binaries)."

The cybersecurity company said it identified the PeckBirdy script framework in 2023 after it observed multiple Chinese gambling websites being injected with malicious scripts, which are designed to download and execute the primary payload in order to facilitate the remote delivery and execution of JavaScript.

The end goal of this routine is to serve fake software update web pages for Google Chrome so as to trick users into downloading and running bogus update files, thereby infecting the machines with malware in the process. This activity cluster is being tracked as SHADOW-VOID-044.

SHADOW-VOID-044 is one of the two temporary intrusion sets detected using PeckBirdy. The second campaign, observed first in July 2024 and referred to as SHADOW-EARTH-045, involves targeting Asian government entities and private organizations -- including a Philippine educational institution -- injecting PeckBirdy links into government websites to likely serve scripts for credential harvesting on the website.

"In one case, the injection was on a login page of a government system, while in another incident, we noticed the attacker using MSHTA to execute PeckBirdy as a remote access channel for lateral movement in a private organization," Trend Micro said. "The threat actor behind the attacks also developed a .NET executable to launch PeckBirdy with ScriptControl. These findings demonstrate the versatility of PeckBirdy's design, which enables it to serve multiple purposes."

What makes PeckBirdy notable is its flexibility, allowing it to run with varying capabilities across web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET (ScriptControl). The framework's server is configured to support multiple APIs that make it possible for clients to obtain landing

Source: The Hacker News

🏷️ Tags

cybersecuritysecurityhackmalwareattack

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views