PostHole
Compose
Login
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
PeckBirdy is a sophisticated JScript-based C&C framework used by China-aligned APT groups to exploit LOLBins across multiple environments, delivering advanced backdoors to target gambling industries and Asian government entities.
APT & Targeted Attacks
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups
PeckBirdy is a sophisticated JScript-based C&C framework used by China-aligned APT groups to exploit LOLBins across multiple environments, delivering advanced backdoors to target gambling industries and Asian government entities.
By: Ted Lee, Joseph C Chen
Jan 26, 2026
Read time: ( words)
Save to Folio
Key takeaways
- PeckBirdy is a JScript-based command-and-control (C&C) framework used by China-aligned APT actors since 2023, designed to execute across multiple environments, enabling flexible deployment.
- Two modular backdoors, HOLODONUT and MKDOOR, extend PeckBirdy’s attack capabilities beyond its core functionality.
- Meanwhile, the SHADOW-VOID-044 and SHADOW-EARTH-045 campaigns demonstrate coordinated China-aligned threat group activity that use PeckBirdy across multiple attack vectors.
- One of campaigns leverage stolen code-signing certificates Cobalt Strike payloads, and exploits (CVE-2020-16040) hosted across multiple C&C domains and IP addresses to maintain persistent access.
- TrendAI Vision One™ detects and blocks the indicators of compromise (IOCs) outlined in this blog, and provides customers with tailored threat hunting queries, threat insights, and intelligence reports.
Introduction
Since 2023, we have been observing threat campaigns employing a previously unseen script-based command-and-control (C&C) framework which we named PeckBirdy, being used against Chinese gambling industries, as well as malicious activities targeting Asian government entities and private organizations. While tracking this framework, we identified at least two campaigns using PeckBirdy, which we were able to link to several China-aligned advanced persistent threat (APT) actors. Note that we’ve previously discussed these campaigns during the HitCon conference last August 2025, and are now publishing this entry to share our findings to a wider audience.
PeckBirdy is a script-based framework which, while possessing advanced capabilities, is implemented using JScript, an old script language. This is to ensure that the framework could be launched across different execution environments via LOLBins (Living off the land binaries). This flexibility allowed us to observe PeckBirdy in various kill chain stages, including being used as a watering-hole control server during the initial attack phase, as a reverse shell server during the lateral movement phase, and as a C&C server during the backdoor phase.
In this entry, we will provide our detailed analysis of PeckBirdy, its attack campaigns, and a pair of new backdoors, “HOLODONUT” and “MKDOOR” which we found being used in related operations. In addition, we will also discuss the attribution of the corresponding campaign.
In-the-wild activities
Beginning in 2023, we noticed multiple Chinese gambling websites being injected with malicious scripts with links to remote servers. Further investigation into the injections and servers led us to discover the PeckBirdy script framework. When victims visit these gambling websites, the injected scripts download and execute the main script of the PeckBirdy routine, allowing attackers to remotely deliver and execute JavaScript.
The primary goal of this routine is to display fake software update webpages for Google Chrome to entice victims into downloading and executing malicious update files, which are backdoors prepared by the attackers. This constitutes the first campaign we identified, which we are tracking under the name SHADOW-VOID-044.
[Figure 1. PeckBirdy launched via different vectors]
- Figure 1. PeckBirdy launched via different vectors*
download
During July 2024, we observed another campaign primarily targeting Asian government entities and private organizations, which we tracked under the campaign name SHADOW-EARTH-045. We discovered that this campaign injects PeckBirdy links into government websites, likely to deliver scripts for credential harvesting on the website.
In one case, the injection was on a login page of a government’s system, while in another incident, we noticed the attacker using MSHTA to execute PeckBirdy as a remote access channel for lateral movement in a private organization. The threat actor behind the attacks also developed a .NET executable to launch PeckBirdy with ScriptControl. These findings demonstrate the versatility of PeckBirdy’s design, which enables it to serve multiple purposes.
Analysis of the PeckBirdy framework
PeckBirdy can be executed in various environments, including browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET (ScriptControl). Depending on the environment, PeckBirdy’s capabilities and purpose can vary.
For example, in a browser environment, PeckBirdy can only operate within the scope of the webpage due to sandboxing mechanisms. However, in other environments such as MSHTA, PeckBirdy can execute more actions directly on a local machine. The PeckBirdy server has defined APIs, which allows clients to obtain landing scripts from the server via a simple HTTP(S) query. The following table shows the PeckBirdy server APIs that we observed.
| API | Description |
|---|---|
| https://{domain}/{ATTACK_ID} | Downloads the main PeckBirdy script |
| https://{domain}/{ATTACK_ID}/hta | Downloads the landing script for MSHTA |
| https://{domain}/{ATTACK_ID}/html | Downloads the landing script for MTML |
| https://{domain}/{ATTACK_ID}/wscript | Downloads the landing script for WScript |
Table 1. The PeckBirdy server APIs to obtain landing scripts
Depending on the ATTACK_ID value attached in the query, each generated PeckBirdy script contains an embedded configuration (with the ATTACK_ID being a predefined value composed of a random string with 32 characters). The configured values are used for controlling the behavior of PeckBirdy during execution, which includes the following items.
| Configuration | Description |
|---|---|
| $HOST | The PeckBirdy server domain |
| $PORT | The port numbers connected by supported protocols |
| $ATTACK_ID | A 32-character random string produced by the framework |
| $RETRY | The waiting time between retries |
| $RETRY_TIME | The number of retry attempts |
| $HEARTBEAT | The waiting time between heartbeats |
Table 2. The configuration embedded in the PeckBirdy script
[Figure 2. The configuration of the PeckBirdy script]
Figure 2. The configuration of the PeckBirdy script
download
To extend PeckBirdy’s capability, its developer implemented it using an old script language known as JScript (followed by ECMAScript 3), and designed it to support multiple communication protocols to ensure compatibility in various environments. The built-in functions defined in ECMAScript 5, such as JSON, are also used when a newer environment is detected. Otherwise, PeckBirdy uses another version of functions implemented by the framework itself with JScript.
Upon initial execution, PeckBirdy searches for unique objects that exist only in specific environments to determine the current execution context. It checks for the window object in browser environments, the process object in NodeJS environment, the response object in ASP environment, and the presence of the APPLICATION tag within the HTML in HTA environments.
[Figure 3. Detecting execution context]
Figure 3. Detecting execution context
download
[...]