Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actorExploits 1 CVE

HOLODONUT

HOLODONUT is a .NET-based modular backdoor associated with the PeckBirdy framework and observed in campaigns tracked as SHADOW-VOID-044 and SHADOW-EARTH-045. It is deployed via a custom downloader named NEXLOAD and is described as a secondary backdoor that extends attacker capabilities beyond initial access. Reported functionality includes loading, running, and removing plugins or modules received from the server. The malware uses defense-evasion techniques including disabling or bypassing AMSI and ETW, and uses Donut to execute .NET assemblies stealthily in process memory. HOLODONUT was delivered in watering-hole activity against Chinese gambling websites where victims were redirected to fake Google Chrome update pages, and it was also observed in broader intrusions targeting Asian government entities, private organizations, and a Philippine educational institution. The activity is assessed as linked to China-aligned threat actors; SHADOW-VOID-044 has moderate-to-high confidence links to UNC3569, while HOLODONUT itself is assessed as likely linked to the WizardNet backdoor used by TheWizard. Infrastructure overlap includes HOLODONUT samples connecting to the C2 server mkdmcdn.com. It was also reported alongside other malware and tooling including MKDOOR, GRAYRABBIT, PeckBirdy, NEXLOAD, and Cobalt Strike.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2020-16040Insufficient data validation in Google Chrome V8Exploited in the wild

Delivered scripts observed include CVE-2020-16040 exploitation for Chrome, social engineering pop-ups, Electron JS backdoor delivery, and TCP reverse shell establishment.

via polyswarmblog.polyswarm.io
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
TheWizard

Associated backdoors include HOLODONUT and MKDOOR.

via polyswarmblog.polyswarm.io
MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1189Drive-by CompromiseEvidence2
TacticInitial Access

"In watering-hole scenarios, malicious scripts injected into websites trigger downloads of the main PeckBirdy script upon victim visitation, often leading to fake software update pages that prompt execution of malicious files."

Execution

1 technique
T1204.002Malicious FileEvidence1
TacticExecution

"...redirecting victims to fake Google Chrome update pages that delivered malicious backdoors." and "...social engineering techniques to deceive users into executing malware."

Stealth

2 techniques
T1218.005MshtaEvidence1
TacticStealth

"...exploiting living-off-the-land binaries (LOLBins) to deliver modular backdoors... execute across multiple environments, including browsers, MSHTA, WScript... and .NET ScriptControl."

T1620Reflective Code LoadingEvidence2
TacticStealth

"Donut for in-memory execution"

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1
TacticCommand and Control

"HOLODONUT... deploys via NEXLOAD downloader"; "The downloader fetches the module from C2"

Other

2 techniques
T1562.001Disable or Modify ToolsEvidence2

"HOLODONUT... employs AMSI/ETW bypass"

T1562.006Indicator BlockingEvidence1

"...defense evasion techniques including AMSI and ETW event disabling..."

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app
ctoatncsc substackNews
Feb 7, 2026
CTO at NCSC Summary: week ending February 8th

Modular backdoor used alongside PeckBirdy to extend post-compromise capability beyond the core script-based C2 framework.

Read more
gbhackersNews
Feb 2, 2026
PeckBirdy Hackers Abuse LOLBins Across Environments to Deploy Advanced Malware

.NET modular backdoor delivered by the NEXLOAD downloader; uses defense evasion (AMSI and ETW disabling) and Donut for in-memory .NET assembly execution; supports plugin handlers to dynamically load/execute/unload .NET assemblies.

Read more
dark readingNews
Jan 30, 2026
Chinese APTs Hacking Asian Orgs With High-End Malware

An advanced modular backdoor delivered via PeckBirdy in a fake Chrome update/watering-hole style infection chain, used for persistent access and follow-on activity.

Read more
scworldNews
Jan 28, 2026
PeckBirdy framework used by China-linked APTs targets gambling and government entities | SC Media

Associated backdoors identified include HOLODONUT and MKDOOR.

Read more
+6 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.