Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

PeckBirdy JScript C2 framework used across multiple environments since 2023

Malware Activity
First reported
Last updated
Happening score
H score 0
2 unique sources, 2 articles

Summary

Hide ▲

Since 2023, the PeckBirdy JScript-based C2 framework has been used by China-aligned APT actors to reach multiple environments, giving them flexible delivery and remote execution options. The framework can launch through web browsers, MSHTA, WScript, Classic ASP, Node.js, and .NET ScriptControl. It can also hand off second-stage scripts for cookie theft, reverse shells, and backdoor delivery.

Related Happenings

LofyGang Minecraft LofyStealer campaign

Campaign
First: 28.04.2026 20:39 Last: 28.04.2026 20:39 Sources 1

About this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...

Open Happening

StoatWaffle malware distributed through malicious VS Code projects

Malware Activity
First: 23.03.2026 20:09 Last: 23.03.2026 20:09 Sources 1

About this happening: The **StoatWaffle** malware is being delivered through malicious **VS Code projects**, creating a live risk of **credential theft** and **remote command execution** on developer s...

Open Happening

DRILLAPP JavaScript backdoor through Microsoft Edge

Malware Activity
First: 16.03.2026 11:07 Last: 16.03.2026 11:07 Sources 1

About this happening: Observed in **February 2026**, the **DRILLAPP** backdoor now runs through **Microsoft Edge**, giving it **file access** plus access to the **microphone**, **webcam**, and **screen...

Open Happening

Perplexity Comet prompt-injection research shows agentic browsers can be trained into phishing traps

Technical Analysis
First: 11.03.2026 18:38 Last: 11.03.2026 18:38 Sources 1

About this happening: **Perplexity's Comet AI browser** is the focus of a **technical analysis** thread showing how **prompt injection** and **malicious URLs** can steer an agentic browser into **data...

Open Happening

Trojanized gaming utility RAT delivery campaign via browsers and chat platforms

Campaign
First: 27.02.2026 12:06 Last: 27.02.2026 12:06 Sources 1

About this happening: Threat actors are running a **trojanized gaming utility** delivery campaign through **browsers and chat platforms**, putting **unsuspecting users** at risk of **RAT infection** an...

Open Happening

Timeline

  1. 27.01.2026 11:01 2 articles · 4mo ago

    Trend Micro identifies the PeckBirdy JScript C2 framework

    Initial Disclosure

    Trend Micro identifies PeckBirdy as a JScript-based command-and-control framework used by China-aligned APT actors since 2023 against Chinese gambling websites, Asian government entities, and private organizations. The framework can run through web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET ScriptControl, uses ATTACK ID values to retrieve landing scripts over HTTP(S), persists a victim ID, and falls back from WebSocket to Adobe Flash ActiveX objects or Comet. Associated infrastructure served scripts for fake Google Chrome update pages, cookie theft, reverse shells, credential-harvesting activity, and modular backdoors including HOLODONUT and MKDOOR, with related activity tracked as SHADOW-VOID-044 and SHADOW-EARTH-045.

    Show sources
    Open in new tab