Trend Micro recently published their report on PeckBirdy, a JS-based C&C framework China-aligned APT actors have been using since 2023. The threat was designed to execute across multiple environments, enabling flexible deployment.

So far, two modular backdoors—HOLODONUT and MKDOOR, multiple attack vectors, stolen code-signing certificate Cobalt Strike payloads, and exploits (CVE-2020-16040) have figured along PeckBirdy in various campaigns.

The researchers also identified 36 network IoCs related to the threat. After further scrutiny of the IoCs, specifically extracting unique domains from the subdomains tagged as IoCs, we analyzed 56 IoCs in all. Our analysis led to these discoveries:

• Three unique client IP addresses communicated with one domain classified as an IoC
• Six domains identified as IoCs were registered with malicious intent 122—804 days before being dubbed as such
• 64 email-connected domains
• 23 additional IP addresses, 20 of which turned out to be malicious
• Two IP-connected domains
• 18,188 string-connected domains, 49 of which turned out to be malicious

Note that before embarking on our in-depth IoC investigation, we first assessed the legitimacy of the 28 domains identified as IoCs aided by the WhoisXML API MCP Server. Our analysis confirmed that all of them were illegitimate domains.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Scrutinizing the Subdomain IoCs

We queried the 20 subdomains tagged as IoCs on Jake AI and found out that two—update[.]myrnicrosoft[.]com and updates[.]oss-cdn[.]com—have already been involved with distributing malware.

The remaining subdomains were either compromised though legitimate or suspicious primarily based on their use of potential typosquatting domains.

Dissecting the DNS Traces of the Domain IoCs

Sample network traffic data from the IASC revealed that three unique client IP addresses under two distinct ASNs communicated with a domain classified as an IoC via 91 DNS queries made between 31 December 2025 and 29 January 2026.

We then scoured the First Watch Malicious Domains Data Feed for the 28 domains identified as IoCs and found out that six were registered 122—804 days before they were dubbed as malicious.

Next, we queried the 28 domains identified as IoCs on WHOIS API and discovered that:

• They were created between 30 November 2017 and 29 November 2025.

  

• They were administered by nine different registrars.

  

• They were registered in seven different countries.

  

DNS Chronicle API queries for the 28 domains tagged as IoCs showed that 22 had recorded 2,205 historical domain-to-IP resolutions over time. While the domain img-cache[.]com posted the oldest first resolution date, githubgressaccess[.]info recorded the latest.

A closer look at the first resolution dates of the domains also showed that seven were likely utilized in the same campaign in 2023, five in 2025, three in 2024, and two each in 2019 and 2021.

Investigating the IP IoCs

We queried the eight IP addresses classified as IoCs on Bulk IP Geolocation Lookup and found out that:

• They were geolocated in two countries. Only one—China, however, appeared as a registrant country as well.

  

• They were administered by two ISPs.

  

DNS Chronicle API queries for the eight IP addresses identified as IoCs, meanwhile, showed that six recorded 58 historical IP-to-domain resolutions over time.

New Artifacts Uncloaked

We started our search for new artifacts by querying the 28 domains identified as IoCs on WHOIS History API and discovered that 21 had 35 unique email addresses in their historical WHOIS records. Upon closer investigation, we learned that five were public email addresses.

Reverse WHOIS API queries for the five public email addresses revealed that while one could belong to a domainer, the remaining four appeared in the historical WHOIS records of other domains. We uncovered 64 unique email-connected domains after those already tagged as IoCs were filtered out.

Next, we queried the 28 domains classified as IoCs on DNS Lookup API and found out that 13 currently resolved to 23 unique IP addresses not on the IoC list.

Threat Intelligence API queries for the 23 unique IP addresses revealed that 20 have already been weaponized for various attacks.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.