Threat Research

Probing the DNS Depths of PeckBirdy

CircleID
Probing the DNS Depths of PeckBirdy
Trend Micro’s report exposes PeckBirdy, a JavaScript-based C2 framework used by China-aligned APTs since 2023 and linked to modular backdoors (HOLODONUT, MKDOOR), stolen code-signing certificates, Cobalt Strike payloads, and exploits including CVE-2020-16040. Researchers analyzed 56 IoCs (domains, subdomains, IPs, WHOIS emails), confirmed many as illegitimate or previously weaponized, and published sample artifacts and full findings for download. #PeckBirdy #HOLODONUT

Keypoints

  • PeckBirdy is a JS-based command-and-control framework observed in campaigns since 2023 and attributed to China-aligned APT actors.
  • Campaigns associated with PeckBirdy used two modular backdoors—HOLODONUT and MKDOOR—plus stolen code-signing certificates, Cobalt Strike payloads, and exploits (CVE-2020-16040).
  • Researchers collected 56 IoCs (domains, subdomains, IPs, WHOIS/email artifacts) after extracting unique domains from subdomain IoCs and further analysis.
  • Of 28 domains initially flagged as IoCs, all were confirmed illegitimate via WHOIS analysis; six domains had been registered 122–804 days before being labeled malicious.
  • DNS and network trace analysis showed multiple client IPs querying IoC domains (91 DNS queries between 31 Dec 2025 and 29 Jan 2026) and 2,205 historical domain-to-IP resolutions across 22 domains.
  • WHOIS history revealed 35 unique email addresses tied to 21 of the IoC domains and produced 64 additional email-connected domains after filtering.
  • Additional discovery found 23 unique IPs (13 current resolutions to IoC domains), 20 of which were already weaponized for phishing/malware distribution.

MITRE Techniques

  • [T1059.007 ] Command and Scripting Interpreter: JavaScript – The C2 framework is implemented in JavaScript, enabling execution across environments (‘a JS-based C&C framework’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – C2 and payload delivery occurred over web protocols/HTTP-based infrastructure (‘a JS-based C&C framework’ and Cobalt Strike payload distribution).
  • [T1071.004 ] Application Layer Protocol: DNS – Extensive DNS queries and domain-to-IP resolutions were observed for IoC domains (’91 DNS queries made between 31 December 2025 and 29 January 2026′ and ‘2,205 historical domain-to-IP resolutions’).
  • [T1190 ] Exploit Public-Facing Application – Campaigns used known exploits to achieve initial access, specifically CVE-2020-16040 (‘exploits (CVE-2020-16040) have figured along PeckBirdy’).
  • [T1553.002 ] Subvert Trust Controls: Code Signing – Adversaries used a stolen code-signing certificate to sign malicious payloads (Cobalt Strike), subverting trust controls (‘stolen code-signing certificate Cobalt Strike payloads’).
  • [T1583.004 ] Acquire Infrastructure: Domains – Attack infrastructure included registration and use of malicious domains, some registered long before being flagged (registered 122–804 days earlier) (‘six domains identified as IoCs were registered with malicious intent 122—804 days before being dubbed as such’).
  • [T1566 ] Phishing – Discovered IPs and domains were associated with phishing campaigns used to distribute malware (‘Malware distribution; Phishing’ in threat association for multiple IP addresses).

Indicators of Compromise

  • [Domain ] Domain IoCs and flagged domains – mkdmcdn[.]com, jsunpkg[.]com, and other 26 domains (28 domains initially identified as IoCs).
  • [Subdomain ] Subdomain IoCs used for distribution or typosquatting – update[.]myrnicrosoft[.]com, updates[.]oss-cdn[.]com, and other 18 subdomains (20 subdomains queried as IoCs).
  • [IP Address ] IoC IP addresses observed in DNS traces – 8[.]218[.]50[.]207, 43[.]156[.]94[.]185, and 6 other IPs (8 IPs initially classified as IoCs).
  • [IP Address ] Additional weaponized IPs resolved from IoC domains – 104[.]21[.]24[.]113, 104[.]21[.]25[.]105, and other 18 addresses (23 unique IPs discovered; 20 labeled weaponized for phishing/malware distribution).
  • [Email / WHOIS ] Email-related WHOIS artifacts and email-connected domains – 35 unique historical WHOIS email addresses (5 public addresses noted) and 64 email-connected domains (specific addresses not listed in article).
  • [Malware / Backdoor ] Named malware/backdoors observed – HOLODONUT, MKDOOR (modular backdoors tied to PeckBirdy campaigns).
  • [Vulnerability ] Exploit indicator – CVE-2020-16040 (exploit used in PeckBirdy-related campaigns).
  • [Certificate ] Stolen code-signing certificate – referenced as used to sign Cobalt Strike payloads (no certificate serial provided in article).

Read more: https://circleid.com/posts/probing-the-dns-depths-of-peckbirdy