A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor
Summary:
Mandiant's investigation, detailed in a Google Cloud blog post, uncovered a collaborative cyber threat campaign involving two financially motivated groups, UNC5518 and UNC5774. The campaign begins with UNC5518, which uses ClickFix techniques after compromising legitimate websites to deploy malware to visitors (potential victims). This lures users into executing a downloader script that initiates a malware infection chain. UNC5518 effectively operates as an "access-as-a-service" provider, selling this initial access to other malicious actors. In this specific case, the access was leveraged by UNC5774 to deploy the CORNFLAKE.V3 backdoor.
CORNFLAKE.V3 is a versatile backdoor observed in both JavaScript and PHP variants. It is capable of retrieving and executing a wide range of payloads, including shell commands, executables, and DLLs, which it then writes to disk. The malware also collects basic system information and sends it to a remote server, with some instances observed abusing Cloudflare Tunnels to proxy traffic. An updated version of CORNFLAKE.V2, the V3 variant includes new features such as host persistence via a registry Run key and support for additional payload types. The attackers' subsequent reconnaissance and credential harvesting activities indicate their intention to move laterally and expand their foothold within targeted environments.
Security Officer Comments:
This campaign is an example of the increasing specialization and collaborative nature of cybercrime. The model of one group, UNC5518, focusing on initial access and then selling it to a second group, UNC5774, highlights a modernized and efficient criminal ecosystem. We not only see this collaboration between cybercriminal groups, but also nation-state APT groups as well. This division of labor allows each group to hone a specific skillset, initial access, or payload delivery, in theory, making both more effective. The use of a simple, social engineering-based lure like ClickFix demonstrates a low-tech entry vector, while the CORNFLAKE.V3 backdoor itself shows a high level of technical sophistication from the adversary. Its ability to achieve persistence and use legitimate services like Cloudflare Tunnels to evade detection underscores the need for organizations to update detections and focus on behavioral analytics to identify post-compromise activity within their organization.
Suggested Corrections:
IOCs are available here.
Mandiant Recommendations:
To mitigate malware execution through ClickFix, organizations should disable the Windows Run dialog box where possible. Regular simulation exercises are crucial to counter this and other social engineering tactics. Furthermore, robust logging and monitoring systems are essential for detecting the execution of subsequent payloads, such as those associated with CORNFLAKE.V3.
Link(s):
https://thehackernews.com/2025/08/cybercriminals-deploy-cornflakev3.html
https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor
Mandiant's investigation, detailed in a Google Cloud blog post, uncovered a collaborative cyber threat campaign involving two financially motivated groups, UNC5518 and UNC5774. The campaign begins with UNC5518, which uses ClickFix techniques after compromising legitimate websites to deploy malware to visitors (potential victims). This lures users into executing a downloader script that initiates a malware infection chain. UNC5518 effectively operates as an "access-as-a-service" provider, selling this initial access to other malicious actors. In this specific case, the access was leveraged by UNC5774 to deploy the CORNFLAKE.V3 backdoor.
CORNFLAKE.V3 is a versatile backdoor observed in both JavaScript and PHP variants. It is capable of retrieving and executing a wide range of payloads, including shell commands, executables, and DLLs, which it then writes to disk. The malware also collects basic system information and sends it to a remote server, with some instances observed abusing Cloudflare Tunnels to proxy traffic. An updated version of CORNFLAKE.V2, the V3 variant includes new features such as host persistence via a registry Run key and support for additional payload types. The attackers' subsequent reconnaissance and credential harvesting activities indicate their intention to move laterally and expand their foothold within targeted environments.
Security Officer Comments:
This campaign is an example of the increasing specialization and collaborative nature of cybercrime. The model of one group, UNC5518, focusing on initial access and then selling it to a second group, UNC5774, highlights a modernized and efficient criminal ecosystem. We not only see this collaboration between cybercriminal groups, but also nation-state APT groups as well. This division of labor allows each group to hone a specific skillset, initial access, or payload delivery, in theory, making both more effective. The use of a simple, social engineering-based lure like ClickFix demonstrates a low-tech entry vector, while the CORNFLAKE.V3 backdoor itself shows a high level of technical sophistication from the adversary. Its ability to achieve persistence and use legitimate services like Cloudflare Tunnels to evade detection underscores the need for organizations to update detections and focus on behavioral analytics to identify post-compromise activity within their organization.
Suggested Corrections:
IOCs are available here.
Mandiant Recommendations:
To mitigate malware execution through ClickFix, organizations should disable the Windows Run dialog box where possible. Regular simulation exercises are crucial to counter this and other social engineering tactics. Furthermore, robust logging and monitoring systems are essential for detecting the execution of subsequent payloads, such as those associated with CORNFLAKE.V3.
Link(s):
https://thehackernews.com/2025/08/cybercriminals-deploy-cornflakev3.html
https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor