EXECUTIVE SUMMARY:
A campaign has been observed involving multiple threat groups, including UNC5518 and UNC5774, resulting in the deployment of the CORNFLAKE backdoor. The initial compromise occurs through legitimate websites that have been manipulated to host fake CAPTCHA verification pages. Victims interacting with these pages inadvertently execute downloader scripts, providing attackers with an access-as-a-service entry point. UNC5518 orchestrates the initial compromise, while other threat actors, including UNC5774, leverage this access to deliver additional malware. This activity highlights the growing sophistication and collaboration among financially motivated threat actors to infiltrate enterprise environments.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A campaign has been observed involving multiple threat groups, including UNC5518 and UNC5774, resulting in the deployment of the CORNFLAKE backdoor. The initial compromise occurs through legitimate websites that have been manipulated to host fake CAPTCHA verification pages. Victims interacting with these pages inadvertently execute downloader scripts, providing attackers with an access-as-a-service entry point. UNC5518 orchestrates the initial compromise, while other threat actors, including UNC5774, leverage this access to deliver additional malware. This activity highlights the growing sophistication and collaboration among financially motivated threat actors to infiltrate enterprise environments.[emaillocker id="1283"]
The CORNFLAKE backdoor exists in multiple variants, including Node.js and PHP implementations, and retrieves payloads via HTTP from command-and-control (C2) servers. V3 extends the functionality of earlier versions by adding persistence via Windows Registry Run keys and supporting a broader range of payloads, including shell commands, executables, DLLs, and JavaScript. Infection often begins when users interact with malicious ClickFix lure pages, which prompt them to paste scripts into the Windows Run dialog. Anti-virtualization checks and environment validations are performed before execution. Once deployed, the malware gathers system information, performs host and Active Directory reconnaissance, and can attempt credential harvesting through techniques such as Kerberoasting. Payloads are downloaded, written to disk, and executed, allowing the attacker to maintain persistence, move laterally, and relay commands or TCP traffic across the network.
This campaign underscores the increasingly collaborative nature of modern cyber threats, where one group provides initial access and others deploy advanced malware to expand control over compromised environments. To reduce the risk of infection, organizations are advised to disable the Windows Run dialog where feasible, conduct regular social engineering simulations, and maintain comprehensive logging and monitoring systems to detect malware execution and subsequent network reconnaissance. Implementing these defensive measures can limit the impact of malware like CORNFLAKE.V3 and help prevent lateral movement within networks.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| T1566.002 | Spearphishing Link | ||
| T1190 | Exploit Public-Facing Application | - | |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| T1059.005 | Visual Basic | ||
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Discovery | T1087.002 | Account Discovery | Domain Account |
| T1018 | Remote System Discovery | - | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Credential Access | B0028 | Cryptocurrency |
| Discovery | E1082 | System Information Discovery |
| E1083 | File and Directory Discovery | |
| E1010 | Application Window Discovery | |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]