China-Linked Hackers Utilize PeckBirdy JavaScript C2 Framework
These articles are AI-generated summaries. Please check the original sources for full details.
PeckBirdy JavaScript C2 Framework
The PeckBirdy framework, discovered by cybersecurity researchers, has been used by China-aligned APT actors since 2023 to target multiple environments, including Chinese gambling industries and Asian government entities. This flexible framework allows attackers to spread malware via fake software updates and web injections, with the end goal of infecting machines with malware.
Why This Matters
The PeckBirdy framework’s ability to run with varying capabilities across different execution environments, including web browsers and .NET, makes it a significant threat. Its use of dynamically generated, runtime-injected code and the absence of persistent file artifacts enable it to evade traditional endpoint security controls, making detection a significant challenge. The framework’s versatility has been demonstrated in two temporary intrusion sets, SHADOW-VOID-044 and SHADOW-EARTH-045, which have targeted various organizations, resulting in the potential theft of sensitive information and compromise of systems.
Key Insights
- PeckBirdy has been used by China-aligned APT actors since 2023 to spread malware via fake updates and web injections (Trend Micro, 2026)
- The framework can run with varying capabilities across web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET (ScriptControl) (Trend Micro, 2026)
- PeckBirdy uses the WebSocket protocol to communicate with the server by default, but can also employ Adobe Flash ActiveX objects or Comet as a fallback mechanism (Trend Micro, 2026)
Working Example
// PeckBirdy script example
var ATTACK_ID = "o246jgpi6k2wjke000aaimwбe7571uh7";
var victimID = generateVictimID();
var script = getScriptFromServer(ATTACK_ID, victimID);
eval(script);Practical Applications
- Use Case: The PeckBirdy framework can be used by attackers to target organizations via fake software updates, as seen in the SHADOW-VOID-044 campaign, which targeted Chinese gambling websites.
- Pitfall: The use of PeckBirdy can lead to the compromise of sensitive information and systems, as well as the theft of website cookies and credentials, if not detected and mitigated promptly.
References:
Continue reading
Next article
ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services
Related Content
North Korean Hackers Deploy 197 npm Packages to Spread Updated OtterCookie Malware
North Korean hackers deployed 197 malicious npm packages, downloaded 31,000 times, to spread evolved OtterCookie malware via fake job interviews.
Silver Fox Uses Fake Microsoft Teams Installer to Spread ValleyRAT Malware in China
Silver Fox leverages SEO poisoning and fake Microsoft Teams installers to deploy ValleyRAT malware, targeting Chinese organizations since November 2025.
Hackers Use LinkedIn Messages to Spread RAT Malware Through DLL Sideloading
A new LinkedIn phishing campaign delivers a remote access trojan (RAT) via DLL sideloading, exploiting trusted software and bypassing traditional security measures.