PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups

    Tuesday, January 27, 2026 In: Threat Research Print

    Date: 01/27/2026

    Severity: High

    Summary

    PeckBirdy is a JavaScript-based command-and-control framework used by China-aligned APT actors since 2023. It is designed for cross-environment execution, enabling flexible and scalable deployment. Two modular backdoors, HOLODONUT and MKDOOR, extend its capabilities beyond the core framework. The SHADOW-VOID-044 and SHADOW-EARTH-045 campaigns show coordinated use of PeckBirdy across multiple vectors. One campaign leverages stolen code-signing certificates and Cobalt Strike payloads. It also exploits CVE-2020-16040, distributed across multiple C&C domains and IPs to maintain persistence.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    ai.microsoftgpt.net

    update.myrnicrosoft.com

    mkdmcdn.com

    tt.oss-cdn.com

    study.mso-cdn.com

    updates.oss-cdn.com

    linux.mso-cdn.com

    dayday.is-cdn.com

    aq.crackflyvpn.org

    ads.microsoft-ads.com

    efficaciousserver9527.org

    update.microsoft-edges.com

    a1icdn.com

    as-cdn.net

    ppcn-cdn.xyz

    static-alicdn.com

    www.jsunpkg.com

    static-alicdn.com

    static-resource.org

    app.css-alicdn.com

    os-js.com

    kyo-cdn.com

    m.mod-js.org

    m.as-cdn.org

    cdn.js-cdn.xyz

    js.cache-cdn.org

    static.img-cache.com

    static.img-caches.com

    github.githubassets.net

    cloudflare.hcaphcha.com

    www.githubgressaccess.info

    IP Address : 

    47.86.190.245

    8.218.50.207

    47.238.219.111

    43.135.35.84

    43.156.94.185

    8.218.124.102

    8.222.143.246

    43.154.202.197

    47.238.184.9

    Hash : 

    336a0be2dfa60e6beee133cff185bc258b480fb231d5d7eacaca6dfde0db3f81

    81ceb679d9bc51a451393a2ed9edcd588c2760e39c9758303c5929c7412112f0

    74a73e1461dffcf445f195cede0204f44afef8c4b6f37391a0c314e20ed8f7b7

    691d3a5ea614b5bf371001941635788e680ad938f06ee4dfd25768422eaedd6f

    ef67e340d31cbc7bd0d5f77581801142b25b0bc636bb97c04e4ed3c757532227

    7e989948c2b9bb4cd9f7031882e5400171d574610f0dfd06a8d60b860f6e984a

    7e396dda39d3497097b82d98920fa174f883b04d03295493dd3b13676d5ac321

    0a0b25e9565bd41bdadcaab88f0c8c425582c248bdbc4d981ee3ad57a58c6476

    776b4fb58d76105a60bccfbc09abad82330b8ee5138b93b826deaa7689030bbf

    bb67fa07897b73aca77311e4d23bbbbe496e8570338f36305704e487034fd0ad

    5992b0d8bd342ff4a298402830b68c4e4565bf1fd5717a404d8a3ab7a5760204

    fb69135d10c087f72c7cf82a1441e6de3e3d2abfde8546c9012b15c63d5c50e5

    ecafb4ad14c96007f2873e5e4d0e173d27340427f512448515f64e4f58268741

    5dc7b4a618076662b5993b392eb0e402b9f6c27f88b6561791475dc1069c318e

    612e534e695269ac6408bf1f5f62372756bb354bd01bea6073e9fe1d9b548597

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "tt.oss-cdn.com" or url like "tt.oss-cdn.com" or siteurl like "tt.oss-cdn.com" or domainname like "updates.oss-cdn.com" or url like "updates.oss-cdn.com" or siteurl like "updates.oss-cdn.com" or domainname like "aq.crackflyvpn.org" or url like "aq.crackflyvpn.org" or siteurl like "aq.crackflyvpn.org" or domainname like "kyo-cdn.com" or url like "kyo-cdn.com" or siteurl like "kyo-cdn.com" or domainname like "js.cache-cdn.org" or url like "js.cache-cdn.org" or siteurl like "js.cache-cdn.org" or domainname like "github.githubassets.net" or url like "github.githubassets.net" or siteurl like "github.githubassets.net" or domainname like "m.as-cdn.org" or url like "m.as-cdn.org" or siteurl like "m.as-cdn.org" or domainname like "dayday.is-cdn.com" or url like "dayday.is-cdn.com" or siteurl like "dayday.is-cdn.com" or domainname like "cdn.js-cdn.xyz" or url like "cdn.js-cdn.xyz" or siteurl like "cdn.js-cdn.xyz" or domainname like "os-js.com" or url like "os-js.com" or siteurl like "os-js.com" or domainname like "update.myrnicrosoft.com" or url like "update.myrnicrosoft.com" or siteurl like "update.myrnicrosoft.com" or domainname like "as-cdn.net" or url like "as-cdn.net" or siteurl like "as-cdn.net" or domainname like "update.microsoft-edges.com" or url like "update.microsoft-edges.com" or siteurl like "update.microsoft-edges.com" or domainname like "linux.mso-cdn.com" or url like "linux.mso-cdn.com" or siteurl like "linux.mso-cdn.com" or domainname like "mkdmcdn.com" or url like "mkdmcdn.com" or siteurl like "mkdmcdn.com" or domainname like "ai.microsoftgpt.net" or url like "ai.microsoftgpt.net" or siteurl like "ai.microsoftgpt.net" or domainname like "ads.microsoft-ads.com" or url like "ads.microsoft-ads.com" or siteurl like "ads.microsoft-ads.com" or domainname like "study.mso-cdn.com" or url like "study.mso-cdn.com" or siteurl like "study.mso-cdn.com" or domainname like "efficaciousserver9527.org" or url like "efficaciousserver9527.org" or siteurl like "efficaciousserver9527.org" or domainname like "a1icdn.com" or url like "a1icdn.com" or siteurl like "a1icdn.com" or domainname like "ppcn-cdn.xyz" or url like "ppcn-cdn.xyz" or siteurl like "ppcn-cdn.xyz" or domainname like "static-alicdn.com" or url like "static-alicdn.com" or siteurl like "static-alicdn.com" or domainname like "www.jsunpkg.com" or url like "www.jsunpkg.com" or siteurl like "www.jsunpkg.com" or domainname like "app.css-alicdn.com" or url like "app.css-alicdn.com" or siteurl like "app.css-alicdn.com" or domainname like "m.mod-js.org" or url like "m.mod-js.org" or siteurl like "m.mod-js.org" or domainname like "static.img-cache.com" or url like "static.img-cache.com" or siteurl like "static.img-cache.com" or domainname like "static.img-caches.com" or url like "static.img-caches.com" or siteurl like "static.img-caches.com" or domainname like "cloudflare.hcaphcha.com" or url like "cloudflare.hcaphcha.com" or siteurl like "cloudflare.hcaphcha.com" or domainname like "www.githubgressaccess.info" or url like "www.githubgressaccess.info" or siteurl like "www.githubgressaccess.info"

    Detection Query 2 :

    dstipaddress IN ("43.135.35.84","47.86.190.245","43.156.94.185","47.238.184.9","43.154.202.197","47.238.219.111","8.218.50.207","8.218.124.102","8.222.143.246") or srcipaddress IN ("43.135.35.84","47.86.190.245","43.156.94.185","47.238.184.9","43.154.202.197","47.238.219.111","8.218.50.207","8.218.124.102","8.222.143.246")

    Detection Query 3 :

    sha256hash IN ("776b4fb58d76105a60bccfbc09abad82330b8ee5138b93b826deaa7689030bbf","5992b0d8bd342ff4a298402830b68c4e4565bf1fd5717a404d8a3ab7a5760204","ef67e340d31cbc7bd0d5f77581801142b25b0bc636bb97c04e4ed3c757532227","5dc7b4a618076662b5993b392eb0e402b9f6c27f88b6561791475dc1069c318e","81ceb679d9bc51a451393a2ed9edcd588c2760e39c9758303c5929c7412112f0","fb69135d10c087f72c7cf82a1441e6de3e3d2abfde8546c9012b15c63d5c50e5","336a0be2dfa60e6beee133cff185bc258b480fb231d5d7eacaca6dfde0db3f81","691d3a5ea614b5bf371001941635788e680ad938f06ee4dfd25768422eaedd6f","0a0b25e9565bd41bdadcaab88f0c8c425582c248bdbc4d981ee3ad57a58c6476","7e989948c2b9bb4cd9f7031882e5400171d574610f0dfd06a8d60b860f6e984a","612e534e695269ac6408bf1f5f62372756bb354bd01bea6073e9fe1d9b548597","74a73e1461dffcf445f195cede0204f44afef8c4b6f37391a0c314e20ed8f7b7","7e396dda39d3497097b82d98920fa174f883b04d03295493dd3b13676d5ac321","bb67fa07897b73aca77311e4d23bbbbe496e8570338f36305704e487034fd0ad","ecafb4ad14c96007f2873e5e4d0e173d27340427f512448515f64e4f58268741")

    Reference:

    https://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html


    Tags

    MalwareThreat ActorVulnerabilityCVE-2020PeckBirdyChinaSHADOW-VOID-044SHADOW-EARTH-045ExploitBackdoorAPT

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.