UNC5518 deploys CORNFLAKE.V3 backdoor via ClickFix and fake CAPTCHA pages
Summary
Hide β²
Show βΌ
UNC5518, an access-as-a-service threat actor, deploys the CORNFLAKE.V3 backdoor using the ClickFix social engineering tactic and fake CAPTCHA pages. This backdoor is used by at least two other groups, UNC5774 and UNC4108, to initiate multi-stage infections and drop additional payloads. The attack begins with users being tricked into running a malicious PowerShell script via a fake CAPTCHA page. The script executes a dropper payload that ultimately launches CORNFLAKE.V3, which supports various payload types and collects system information. The backdoor has been observed in both JavaScript and PHP versions and uses Cloudflare tunnels to avoid detection. A new ClickFix variant manipulates AI-generated text summaries to deliver malicious commands, turning AI tools into active participants in social engineering attacks.
Timeline
-
25.08.2025 22:32 π° 1 articles
ClickFix exploits AI-generated summaries for malware delivery
A new ClickFix variant manipulates AI-generated text summaries to deliver malicious commands. This variant uses CSS obfuscation and 'prompt overdose' to hide malicious code, making it more likely for victims to follow the instructions without suspicion. AI summarizers can turn into active participants in social engineering attacks, highlighting the evolving tactics of social engineering and the importance of robust security measures. Organizations are advised to preprocess HTML, use prompt sanitizers, and implement payload pattern recognition to combat this threat.
Show sources
- ClickFix Attack Tricks AI Summaries Into Pushing Malware β www.darkreading.com β 25.08.2025 22:32
-
21.08.2025 19:25 π° 2 articles
UNC5518 deploys CORNFLAKE.V3 backdoor via ClickFix and fake CAPTCHA pages
UNC5518, an access-as-a-service threat actor, deploys the CORNFLAKE.V3 backdoor using the ClickFix social engineering tactic and fake CAPTCHA pages. This backdoor is used by at least two other groups, UNC5774 and UNC4108, to initiate multi-stage infections and drop additional payloads. The attack begins with users being tricked into running a malicious PowerShell script via a fake CAPTCHA page. The script executes a dropper payload that ultimately launches CORNFLAKE.V3, which supports various payload types and collects system information. The backdoor has been observed in both JavaScript and PHP versions and uses Cloudflare tunnels to avoid detection.
Show sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
- ClickFix Attack Tricks AI Summaries Into Pushing Malware β www.darkreading.com β 25.08.2025 22:32
Information Snippets
-
UNC5518 uses the ClickFix tactic to deploy the CORNFLAKE.V3 backdoor.
First reported: 21.08.2025 19:25π° 2 sources, 2 articlesShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
- ClickFix Attack Tricks AI Summaries Into Pushing Malware β www.darkreading.com β 25.08.2025 22:32
-
The initial infection vector involves fake CAPTCHA pages and malicious PowerShell scripts.
First reported: 21.08.2025 19:25π° 2 sources, 2 articlesShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
- ClickFix Attack Tricks AI Summaries Into Pushing Malware β www.darkreading.com β 25.08.2025 22:32
-
UNC5774 and UNC4108 leverage the access provided by UNC5518 for further infections.
First reported: 21.08.2025 19:25π° 1 source, 1 articleShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
-
CORNFLAKE.V3 supports multiple payload types and collects system information.
First reported: 21.08.2025 19:25π° 1 source, 1 articleShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
-
The backdoor uses Cloudflare tunnels to evade detection.
First reported: 21.08.2025 19:25π° 1 source, 1 articleShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
-
CORNFLAKE.V3 achieves persistence via Windows Registry changes.
First reported: 21.08.2025 19:25π° 1 source, 1 articleShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
-
The backdoor delivers at least three different payloads, including an Active Directory reconnaissance utility and a Kerberoasting script.
First reported: 21.08.2025 19:25π° 1 source, 1 articleShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
-
WINDYTWIST.SEA, a C version of WINDYTWIST, is used for lateral movement and command execution.
First reported: 21.08.2025 19:25π° 1 source, 1 articleShow sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages β thehackernews.com β 21.08.2025 19:25
Similar Happenings
TOR-based Cryptojacking Campaign Targets Misconfigured Docker APIs
A new variant of a TOR-based cryptojacking campaign targets misconfigured Docker APIs to propagate malware. The attack chain involves exploiting exposed Docker instances to deploy XMRig miners and reconnaissance tools. The malware also scans for additional ports and attempts to propagate via Telnet and Chromium remote debugging ports. The campaign may be setting up a complex botnet. The attack leverages Base64-encoded payloads and TOR domains for anonymity. It includes a dropper written in Go that parses user login information and uses Masscan for further propagation. The malware's source code includes an emoji, suggesting it may have been crafted using a large language model (LLM). The attackers mount the host root to the fresh container, allowing them to manipulate the host system and escape the container. The attackers modify the SSH configuration of the host system to elevate privileges and provide backdoor access. The attackers create a cron job that executes every minute to block access to the Docker APIβs port 2375, denying other attackers future access to the exposed instance. The threat actors deploy tools to perform mass scans for other open 2375 ports, which are used for malware propagation through the creation of new containers using the identified exposed APIs. The malware installs curl and tor, launches a Tor daemon, and waits for confirmation of the connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy. The malware appends an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem to enable persistent SSH access. The malware writes a base64-encoded cron job on the host, which executes every minute and blocks external access to port 2375 using available firewall utilities. The malware downloads a Zstandard-compressed Go binary over Tor, decompresses it, and runs it as a dropper. The Go binary parses the hostβs utmp file to identify logged-in users. The malware attempts to infect other exposed Docker APIs and removes competitor containers after gaining access. The malware includes inactive logic for exploiting Telnet (port 23) using default router credentials and for interacting with Chromeβs remote debugging interface (port 9222). The malware's behavior suggests it is an initial version of a complex botnet with capabilities for lateral movement, persistence, and potential future expansion for credential theft and browser hijacking. The campaign highlights the importance of securing Docker APIs and segmenting networks to prevent such attacks.
MostereRAT Malware Disables Security Tools, Targets Japanese Windows Users
A new malware campaign, tracked as MostereRAT, targets Japanese Windows users with sophisticated evasion techniques. MostereRAT disables antivirus and endpoint defenses, uses an obscure programming language, and abuses legitimate remote access tools to maintain persistent control over compromised systems. The malware's capabilities include privilege escalation, keylogging, data exfiltration, and the creation of hidden administrator accounts. The campaign's long-term objectives and the full extent of its impact remain unclear. MostereRAT employs Easy Programming Language (EPL) to evade detection and uses Windows Filtering Platform (WFP) filters to block security telemetry. The malware deploys legitimate remote access tools like AnyDesk, TigerVNC, and TightVNC, making it difficult to detect. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools to reduce the attack surface. The malware uses mutual TLS (mTLS) to secure command-and-control (C2) communications and can run as TrustedInstaller, a built-in Windows system account with elevated permissions. MostereRAT can monitor foreground window activity associated with Qianniu - Alibaba's Seller Tool, facilitate RDP logins, and create hidden administrator accounts.
SVG Files Used to Deploy Phishing Pages in Colombian Judicial System Impersonation Campaign
A malware campaign leveraging SVG files to deploy Base64-encoded phishing pages impersonating the Colombian judicial system has been identified. The SVG files, distributed via email, execute JavaScript payloads to inject phishing pages and download ZIP archives. The campaign involves 523 unique SVG files that have evaded detection by antivirus engines. The earliest sample dates back to August 14, 2025. The campaign highlights the evolving tactics used by threat actors to bypass security measures and target macOS systems with information stealers like Atomic macOS Stealer (AMOS). This campaign also coincides with broader trends in cyber threats targeting macOS and gamers.
GhostRedirector Compromises 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module
GhostRedirector, a previously undocumented threat cluster, has compromised at least 65 Windows servers primarily in Brazil, Thailand, and Vietnam. The attacks, active since at least August 2024, deployed the Rungan backdoor and Gamshen IIS module. Rungan executes commands on compromised servers, while Gamshen manipulates search engine results for SEO fraud. The threat actor targets various sectors, including education, healthcare, technology, transportation, insurance, and retail, using SQL injection vulnerabilities for initial access. The group is assessed with medium confidence to be China-aligned. The operation involves using PowerShell to download malware tools and exploits like EfsPotato and BadPotato for privilege escalation.
Malicious link spreading via X's Grok AI
Threat actors exploit X's Grok AI to bypass link posting restrictions and spread malicious links. They embed links in the 'From:' metadata field of video ads, prompting Grok to reveal the links in replies. This technique, dubbed 'Grokking,' boosts the credibility and reach of malicious content, leading users to scams and malware. The abuse affects millions of users, with Grok's trusted status amplifying the spread of malicious ads. Potential solutions include scanning all fields, blocking hidden links, and sanitizing Grok's responses to prevent it from echoing malicious links. The malicious links are part of a Traffic Distribution System (TDS) used by malicious ad tech vendors, and the operation involves hundreds of organized accounts. The Grok 4 model's security is fundamentally weaker than its competitors, relying heavily on system prompts that can be easily bypassed.