A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor

Aug. 21, 2025, 12:23 p.m.

Description

This analysis details a campaign involving two threat groups, UNC5518 and UNC5774, deploying the CORNFLAKE.V3 backdoor. UNC5518 compromises legitimate websites to serve fake CAPTCHA pages, luring visitors to execute a downloader script. UNC5774 then uses this access to deploy CORNFLAKE.V3, a sophisticated backdoor with variants in JavaScript and PHP. The malware collects system information, establishes persistence, and can execute various payloads including shell commands, executables, and DLLs. It communicates with command and control servers using HTTP and can abuse Cloudflare Tunnels for traffic proxying. The campaign also involves active directory reconnaissance and credential harvesting attempts via Kerberoasting.

External References

https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor
https://otx.alienvault.com/pulse/68a6827e930a07d2130dda50
Tags
backdoor
node.js
clickfix
php
2025-08-21
cornflake.v3
windytwist.sea
kerberoasting

Date

  • Created: Aug. 21, 2025, 2:20 a.m.
  • Published: Aug. 21, 2025, 2:20 a.m.
  • Modified: Aug. 21, 2025, 12:23 p.m.

Attack Patterns

  • WINDYTWIST.SEA
  • CORNFLAKE.V3
  • UNC5518 and UNC5774