CORNFLAKE.V3 ClickFix backdoor deployment
Malware Activity
Summary
Hide ▲
Show ▼
CORNFLAKE.V3 is being deployed through ClickFix, giving threat actors a backdoor path onto Windows hosts and enabling follow-on payload execution. The chain uses fake CAPTCHA pages and the Windows Run dialog box to trick users into running malicious PowerShell. The malware adds registry Run key persistence, collects system information, and hides traffic through Cloudflare tunnels, increasing stealth and post-compromise risk.
Related Happenings
Cosmali Loader delivery via Microsoft Activation Scripts typosquat
Malware Activity
First: 24.12.2025 19:44
Last: 24.12.2025 19:44
Sources 1
About this happening:
A **typosquatted Microsoft Activation Scripts (MAS) domain** is distributing **malicious PowerShell scripts** that install **Cosmali Loader** on **Windows** systems, creating a pa...
Cosmali Loader delivery via Microsoft Activation Scripts typosquat
Malware ActivityAbout this happening: A **typosquatted Microsoft Activation Scripts (MAS) domain** is distributing **malicious PowerShell scripts** that install **Cosmali Loader** on **Windows** systems, creating a pa...
CastleLoader malware activity using a Python-based delivery chain
Malware Activity
First: 10.12.2025 18:45
Last: 10.12.2025 18:45
Sources 1
About this happening:
**CastleLoader** is now being delivered through a **Python-based delivery chain** that runs payloads in memory, increasing the chance of stealthy execution on **Windows** systems....
CastleLoader malware activity using a Python-based delivery chain
Malware ActivityAbout this happening: **CastleLoader** is now being delivered through a **Python-based delivery chain** that runs payloads in memory, increasing the chance of stealthy execution on **Windows** systems....
JackFix ClickFix fake-adult-site phishing campaign
Campaign
First: 25.11.2025 16:18
Last: 25.11.2025 16:18
Sources 1
About this happening:
The **JackFix** campaign is using **fake adult websites** and **ClickFix** lures to trick users into running malicious commands, enabling an infection chain that can drop **steale...
JackFix ClickFix fake-adult-site phishing campaign
CampaignAbout this happening: The **JackFix** campaign is using **fake adult websites** and **ClickFix** lures to trick users into running malicious commands, enabling an infection chain that can drop **steale...
ClickFix variants delivering LummaC2 and Rhadamanthys
Malware Activity
First: 24.11.2025 22:42
Last: 24.11.2025 22:42
Sources 1
About this happening:
Since **October 1**, **ClickFix** variants have been using a **fake Windows Update** screen and **human verification** lures to trick Windows users into pasting commands that exec...
ClickFix variants delivering LummaC2 and Rhadamanthys
Malware ActivityAbout this happening: Since **October 1**, **ClickFix** variants have been using a **fake Windows Update** screen and **human verification** lures to trick Windows users into pasting commands that exec...
Tsundere botnet expanding on Windows
Malware Activity
First: 20.11.2025 18:57
Last: 20.11.2025 18:57
Sources 1
About this happening:
The **Tsundere botnet** is actively expanding against **Windows users**, and its operators can make infected systems run arbitrary **JavaScript** from a **command-and-control serv...
Tsundere botnet expanding on Windows
Malware ActivityAbout this happening: The **Tsundere botnet** is actively expanding against **Windows users**, and its operators can make infected systems run arbitrary **JavaScript** from a **command-and-control serv...
Timeline
-
21.08.2025 19:25 1 articles · 9mo ago
CORNFLAKE.V3 ClickFix deployment disclosure
Initial DisclosureUNC5518 used ClickFix fake CAPTCHA pages to lure users on compromised websites into running a malicious PowerShell command through the Windows Run dialog box, leading to a dropper that checks for virtualization and launches CORNFLAKE.V3. The backdoor is seen in JavaScript and PHP versions, supports HTTP-delivered executables, DLLs, JavaScript files, batch scripts, and PowerShell commands, proxies traffic through Cloudflare tunnels, and can deliver follow-on payloads including an Active Directory reconnaissance utility, a Kerberoasting credential harvester, and WINDYTWIST.SEA.
Show sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages — thehackernews.com — 21.08.2025 19:25