{ "name": "A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups", "slug": "a-versatile-script-framework-for-lolbins-exploitation-used-by-china-aligned-threat-groups", "description": "PeckBirdy is a sophisticated JScript-based C&C framework employed by China-aligned APT groups since 2023. It exploits LOLBins across multiple environments to deliver advanced backdoors, targeting gambling industries and Asian government entities. The framework's versatility allows it to be used in various attack stages, from watering-hole control to lateral movement and C&C operations. Two campaigns, SHADOW-VOID-044 and SHADOW-EARTH-045, demonstrate coordinated threat group activity using PeckBirdy. The framework is complemented by two modular backdoors, HOLODONUT and MKDOOR, which extend its attack capabilities. PeckBirdy's design enables flexible deployment and execution across different environments, including browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET.", "published": "2026-01-26T19:30:56+00:00", "created_at": "2026-01-26T19:30:56+00:00", "modified_at": "2026-01-27T06:34:09+00:00", "created_at_opencti": "2026-01-26T19:30:56+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-01-26", "CVE-2020-16040", "apt", "biopass rat", "c&c framework", "china-aligned", "darknimbus", "gambling", "government", "grayrabbit", "holodonut", "jscript", "lolbins", "mkdoor", "peckbirdy", "wizardnet" ], "related_entities": { "observables": [ { "id": "", "name": "43.154.202.197" }, { "id": "", "name": "47.238.184.9" }, { "id": "", "name": "8.222.143.246" }, { "id": "", "name": "8.218.124.102" }, { "id": "", "name": "www.jsunpkg.com" }, { "id": "", "name": "www.githubgressaccess.info" }, { "id": "", "name": "612e534e695269ac6408bf1f5f62372756bb354bd01bea6073e9fe1d9b548597" }, { "id": "", "name": "ecafb4ad14c96007f2873e5e4d0e173d27340427f512448515f64e4f58268741" }, { "id": "", "name": "81ceb679d9bc51a451393a2ed9edcd588c2760e39c9758303c5929c7412112f0" }, { "id": "", "name": "ef67e340d31cbc7bd0d5f77581801142b25b0bc636bb97c04e4ed3c757532227" }, { "id": "", "name": "0a0b25e9565bd41bdadcaab88f0c8c425582c248bdbc4d981ee3ad57a58c6476" }, { "id": "", "name": "691d3a5ea614b5bf371001941635788e680ad938f06ee4dfd25768422eaedd6f" }, { "id": "", "name": "336a0be2dfa60e6beee133cff185bc258b480fb231d5d7eacaca6dfde0db3f81" }, { "id": "", "name": "74a73e1461dffcf445f195cede0204f44afef8c4b6f37391a0c314e20ed8f7b7" }, { "id": "", "name": "7e396dda39d3497097b82d98920fa174f883b04d03295493dd3b13676d5ac321" }, { "id": "", "name": "fb69135d10c087f72c7cf82a1441e6de3e3d2abfde8546c9012b15c63d5c50e5" }, { "id": "", "name": "bb67fa07897b73aca77311e4d23bbbbe496e8570338f36305704e487034fd0ad" }, { "id": "", "name": "5992b0d8bd342ff4a298402830b68c4e4565bf1fd5717a404d8a3ab7a5760204" }, { "id": "", "name": "7e989948c2b9bb4cd9f7031882e5400171d574610f0dfd06a8d60b860f6e984a" }, { "id": "", "name": "776b4fb58d76105a60bccfbc09abad82330b8ee5138b93b826deaa7689030bbf" }, { "id": "", "name": "5dc7b4a618076662b5993b392eb0e402b9f6c27f88b6561791475dc1069c318e" } ], "malware": [ { "id": "cccf1b4d-521b-4f51-9a89-9fb9bfca670f", "name": "BIOPASS RAT", "slug": "biopass-rat" }, { "id": "legacy:malware:b924a10ad27b95e0", "name": "DarkNimbus", "slug": "darknimbus" }, { "id": "legacy:malware:a22dd1a3b90d7f3a", "name": "WizardNet", "slug": "wizardnet" }, { "id": "legacy:malware:e66a1c3df6af0b1a", "name": "MKDOOR", "slug": "mkdoor" }, { "id": "legacy:malware:74c6499eb4dfd027", "name": "HOLODONUT", "slug": "holodonut" }, { "id": "legacy:malware:a25af55b2e3ea4c7", "name": "PeckBirdy", "slug": "peckbirdy" }, { "id": "legacy:malware:b66b3a1578248d01", "name": "GRAYRABBIT", "slug": "grayrabbit" } ], "intrusion_sets": [ { "id": "0071ad41-3fc9-4da5-a429-246d63ac8514", "name": "SHADOW-VOID-044", "slug": "shadow-void-044" } ], "attack_patterns": [ { "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc", "name": "T1204.001" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "7671fe3e-6a85-463e-928d-16117d2f4f9b", "name": "T1059.006" }, { "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2", "name": "T1059.007" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "09124a92-c11f-4571-b35b-ab0bce6dd081", "name": "T1112" }, { "id": "81b422de-709e-43bd-b471-2befac0c623a", "name": "T1218.011" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "88fa397b-4cc9-42c0-b52d-4108f9630529", "name": "T1095" }, { "id": "28548897-8b18-4095-97e8-1732f52e9316", "name": "T1102.003" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" }, { "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd", "name": "T1059.005" }, { "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420", "name": "T1102.002" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9", "name": "T1132.001" }, { "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3", "name": "T1573.001" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2020-16040" } ], "others": [ { "id": "", "name": "Philippines" }, { "id": "", "name": "China" }, { "id": "", "name": "Gambling" }, { "id": "", "name": "Government" }, { "id": "", "name": "ads.microsoft-ads.com" }, { "id": "", "name": "aq.crackflyvpn.org" }, { "id": "", "name": "update.myrnicrosoft.com" }, { "id": "", "name": "ppcn-cdn.xyz" }, { "id": "", "name": "updates.oss-cdn.com" }, { "id": "", "name": "as-cdn.net" }, { "id": "", "name": "m.as-cdn.org" }, { "id": "", "name": "kyo-cdn.com" }, { "id": "", "name": "github.githubassets.net" }, { "id": "", "name": "os-js.com" }, { "id": "", "name": "mkdmcdn.com" }, { "id": "", "name": "dayday.is-cdn.com" }, { "id": "", "name": "update.microsoft-edges.com" }, { "id": "", "name": "static.img-caches.com" }, { "id": "", "name": "center.myrnicrosoft.com" }, { "id": "", "name": "efficaciousserver9527.org" }, { "id": "", "name": "static.img-cache.com" }, { "id": "", "name": "linux.mso-cdn.com" }, { "id": "", "name": "cloudflare.hcaphcha.com" }, { "id": "", "name": "js.cache-cdn.org" }, { "id": "", "name": "a1icdn.com" }, { "id": "", "name": "app.css-alicdn.com" }, { "id": "", "name": "static-alicdn.com" }, { "id": "", "name": "oss-cdn.com" }, { "id": "", "name": "ai.microsoftgpt.net" }, { "id": "", "name": "cdn.js-cdn.xyz" }, { "id": "", "name": "study.mso-cdn.com" }, { "id": "", "name": "m.mod-js.org" }, { "id": "", "name": "tt.oss-cdn.com" } ] }, "external_refs": [ "https://www.trendmicro.com/en_us/research/26/a/peckbirdy-script-framework.html", "https://otx.alienvault.com/pulse/6977cf000e82fbf4ca307f21" ] }