{"id":10165,"date":"2026-01-27T10:03:35","date_gmt":"2026-01-27T10:03:35","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/27\/china-aligned-apts-use-peckbirdy-cc-framework-in-multi-vector-attacks-exploiting-stolen-certificates\/"},"modified":"2026-01-27T10:03:35","modified_gmt":"2026-01-27T10:03:35","slug":"china-aligned-apts-use-peckbirdy-cc-framework-in-multi-vector-attacks-exploiting-stolen-certificates","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/27\/china-aligned-apts-use-peckbirdy-cc-framework-in-multi-vector-attacks-exploiting-stolen-certificates\/","title":{"rendered":"China-Aligned APTs Use PeckBirdy C&C Framework in Multi-Vector Attacks, Exploiting Stolen Certificates"},"content":{"rendered":"\n
China-Aligned APTs Use PeckBirdy C&C Framework in Multi-Vector Attacks, Exploiting Stolen Certificates<\/div>\n

\t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Since 2023, a dangerous malware framework called PeckBirdy has emerged as a primary weapon used by Chinese-aligned hacking groups. <\/p>\n

This JavaScript-based tool serves as a command-and-control platform designed to work across multiple system environments, giving attackers remarkable flexibility in how they deploy their attacks. <\/p>\n

The framework targets victims in the gambling industry and government organizations throughout Asia, representing a significant evolution in how modern attack groups operate.<\/p>\n

PeckBirdy operates by injecting malicious code<\/a> into websites that victims visit regularly. When users land on compromised pages, hidden scripts download and activate the PeckBirdy framework silently in the background. <\/p>\n

The malware then tricks victims into thinking their web browser needs an urgent update, displaying convincing fake Google Chrome update pages. <\/p>\n

Unsuspecting users download what appears to be a legitimate software patch but is actually a sophisticated backdoor program designed to give attackers full control of their systems.<\/p>\n

\n
\"PeckBirdy
PeckBirdy launched via different vectors (Source \u2013 Trend Micro)<\/figcaption><\/figure>\n<\/div>\n

The attacks unfold across two distinct campaigns tracked as SHADOW-VOID-044 and SHADOW-EARTH-045. <\/p>\n

Trend Micro analysts identified<\/a> the malware after discovering evidence of its deployment on compromised Chinese gambling websites in 2023, which led researchers to uncover the full scope of the framework\u2019s capabilities and track its operational infrastructure across multiple attack phases.<\/p>\n

Infection Mechanism and Persistence Strategy<\/strong><\/h2>\n

The technical sophistication of PeckBirdy lies in how it blends older, outdated scripting languages with modern attack techniques.<\/p>\n

\n
\"The
The configuration of the PeckBirdy script (Source \u2013 Trend Micro) <\/figcaption><\/figure>\n<\/div>\n

Developers built the framework using JScript, an ancient Microsoft scripting language, specifically because it allows the code to run on virtually every Windows system without raising suspicion. <\/p>\n

This choice demonstrates how attackers deliberately select old technologies to bypass modern security tools<\/a> that focus on detecting newer threats.<\/p>\n

\n
\"The
The script delivered from a C&C server for stealing website cookies (Source \u2013 Trend Micro)<\/figcaption><\/figure>\n<\/div>\n

Once installed, PeckBirdy creates a unique identifier for each infected computer by extracting hardware information from the victim\u2019s motherboard and hard drive, then converting this data into an encrypted identifier. <\/p>\n

The malware preserves this ID in a hidden file on the system, allowing the attackers to recognize the same victim during future infections. <\/p>\n

To maintain persistent access, PeckBirdy communicates with command servers using an encrypted protocol, constantly checking for new instructions while remaining invisible to security software<\/a> monitoring for suspicious network traffic.<\/p>\n

\n
\"The
The main function of the MKDOOR downloader (Source \u2013 Trend Micro)<\/figcaption><\/figure>\n<\/div>\n

What makes this framework particularly dangerous is that it delivers secondary backdoors like HOLODONUT and MKDOOR, which expand the attackers\u2019 capabilities beyond initial access. <\/p>\n

These modules can execute arbitrary commands, steal credentials, and establish reverse shell connections that provide attackers with complete remote access to compromised networks.<\/p>\n

Organizations should implement robust network monitoring<\/a> and educate employees about social engineering tactics to defend against these persistent threats.<\/p>\n

Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n

The post China-Aligned APTs Use PeckBirdy C&C Framework in Multi-Vector Attacks, Exploiting Stolen Certificates<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Tushar Subhra Dutta
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

China-Aligned APTs Use PeckBirdy C&C Framework in Multi-Vector Attacks, Exploiting Stolen Certificates Since 2023, a dangerous malware framework called PeckBirdy has emerged as a primary weapon used by Chinese-aligned hacking groups. This JavaScript-based tool serves as a command-and-control platform designed to work across multiple system environments, giving attackers remarkable flexibility in how they deploy their […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-10165","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10165"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10165"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10165\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10165"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}