- Attackers use fake CAPTCHA pages to lure users into infecting systems with a backdoor named CORNFLAKE.V3.
- The threat group tracked as UNC5518 sells access which other groups monetize through additional Malware deployment.
- CORNFLAKE.V3 is capable of executing multiple payloads, gathering data, and maintaining persistence on hosts.
- Malware campaigns also use infected USB drives to spread cryptocurrency mining software like XMRig.
- Disabling the Windows Run dialog and monitoring suspicious script execution may help reduce risk of infection.
A new cyberattack method uses fake CAPTCHA pages to spread a versatile backdoor named CORNFLAKE.V3, according to research published on August 21, 2025. The campaign, observed by Google-owned Mandiant, targets users worldwide by exploiting social engineering tactics to gain unauthorized access and monetize infected systems.
The attack group, known as UNC5518, tricks users into running a malicious script by prompting them to copy and execute a command via the Windows Run dialog box. Mandiant identified two other groups, UNC5774 and UNC4108, that utilize the access provided by UNC5518 to launch further attacks, including payload delivery and system control tools.
The infection begins when a user interacts with a manipulated search result or ad, leading to a fake CAPTCHA page. After the user executes the supplied script, the computer downloads additional malware. The CORNFLAKE.V3 backdoor then checks if it is running in a virtual machine and establishes communication with external servers, often routing traffic through Cloudflare tunnels to avoid detection.
CORNFLAKE.V3 has versions in JavaScript and PHP. It delivers various types of files, including executables and PowerShell scripts, and collects basic system information. Persistence is achieved through changes to the Windows Registry. Delivered payloads can include utilities for network reconnaissance, credential harvesting, and another backdoor called WINDYTWIST.SEA, which provides remote shell access.
A related campaign continues to use infected USB drives to install cryptocurrency miners, like XMRig for Monero and other coins, since September 2024. Attackers trick users into running shortcuts on compromised drives, which initiates a chain of scripts and payloads with tools such as DIRTYBULK, CUTFAIL, and PUMPBENCH.
Researchers recommend disabling the Windows Run dialog, conducting regular security awareness drills, and improving monitoring for suspicious PowerShell and script execution. Mandiant notes that initial access through USB drives remains highly effective due to its low cost and ability to bypass many standard defenses. Full details and reports are available in Google’s threat blog and the community blog.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- SEC Delays XRP, Solana, and Litecoin ETF Decisions to 2025
- Kanye West’s YZY Token Tanks 89% After Insider Ownership Revealed
- Prediction Markets Cool on YZY, Satoshi’s Fortune as Crypto Slides
- New QuirkyLoader Malware Targets Users in Recent Email Attacks
- Input | Output (IO) Joins Blockchain for Europe to Advance Cross-Sector Collaboration in DeFi Policy Development
