PeckBirdy: A Versatile Script Framework for LOLBins Exploitation

PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-Aligned Threat Groups Trend Micro Research www.trendmicro.com/en_us/res… Since 2023, researchers have observed multiple threat campaigns leveraging a previously undocumented, script-based command-and-control (C&C) framework, now designated PeckBirdy. These campaigns targeted organizations within the Chinese gambling sector, as well as government entities and private organizations across Asia. During the investigation, at least two distinct campaigns using PeckBirdy were identified. These campaigns were attributed to several China-aligned advanced persistent threat (APT) actors. Preliminary findings were previously presented at the HitCon conference in August 2025. This publication expands on that research to share the findings with a broader audience. PeckBirdy is a script-based framework implemented in JScript, an older scripting language. Despite its age, JScript was deliberately chosen to ensure broad compatibility across execution environments by leveraging LOLBins (living-off-the-land binaries). This design enables flexible deployment across multiple stages of the attack lifecycle. Observed use cases include: Operation as a watering-hole control server during the initial access phase Functioning as a reverse shell server during lateral movement Serving as a full C&C server during the backdoor phase This versatility highlights PeckBirdy’s role as a modular and adaptable framework within sophisticated, multi-stage intrusion campaigns.