BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Hackers Use Fake CAPTCHAs, USBs to Spread CORNFLAKE and XMRig

Fake CAPTCHA Pages Used to Deploy CORNFLAKE.V3 Backdoor in Global Malware Campaigns

  • Attackers use fake CAPTCHA pages to lure users into infecting systems with a backdoor named CORNFLAKE.V3.
  • The threat group tracked as UNC5518 sells access which other groups monetize through additional Malware deployment.
  • CORNFLAKE.V3 is capable of executing multiple payloads, gathering data, and maintaining persistence on hosts.
  • Malware campaigns also use infected USB drives to spread cryptocurrency mining software like XMRig.
  • Disabling the Windows Run dialog and monitoring suspicious script execution may help reduce risk of infection.

A new cyberattack method uses fake CAPTCHA pages to spread a versatile backdoor named CORNFLAKE.V3, according to research published on August 21, 2025. The campaign, observed by Google-owned Mandiant, targets users worldwide by exploiting social engineering tactics to gain unauthorized access and monetize infected systems.

- Advertisement -

The attack group, known as UNC5518, tricks users into running a malicious script by prompting them to copy and execute a command via the Windows Run dialog box. Mandiant identified two other groups, UNC5774 and UNC4108, that utilize the access provided by UNC5518 to launch further attacks, including payload delivery and system control tools.

The infection begins when a user interacts with a manipulated search result or ad, leading to a fake CAPTCHA page. After the user executes the supplied script, the computer downloads additional malware. The CORNFLAKE.V3 backdoor then checks if it is running in a virtual machine and establishes communication with external servers, often routing traffic through Cloudflare tunnels to avoid detection.

CORNFLAKE.V3 has versions in JavaScript and PHP. It delivers various types of files, including executables and PowerShell scripts, and collects basic system information. Persistence is achieved through changes to the Windows Registry. Delivered payloads can include utilities for network reconnaissance, credential harvesting, and another backdoor called WINDYTWIST.SEA, which provides remote shell access.

A related campaign continues to use infected USB drives to install cryptocurrency miners, like XMRig for Monero and other coins, since September 2024. Attackers trick users into running shortcuts on compromised drives, which initiates a chain of scripts and payloads with tools such as DIRTYBULK, CUTFAIL, and PUMPBENCH.

- Advertisement -

Researchers recommend disabling the Windows Run dialog, conducting regular security awareness drills, and improving monitoring for suspicious PowerShell and script execution. Mandiant notes that initial access through USB drives remains highly effective due to its low cost and ability to bypass many standard defenses. Full details and reports are available in Google’s threat blog and the community blog.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

China-linked hackers target Indian taxpayers via tax phishing

A suspected China-nexus cyber campaign named Operation DragonReturn is targeting Indian taxpayers and financial...

Alphabet Launches Two New AI Models, Eyes Stock Boost

Alphabet launches two new AI models, Nano Banana 2 Lite and Gemini Omni Flash,...

Nvidia’s Kyber AI rack delayed to 2028: report

NVIDIA's next-generation Kyber server rack, designed for Rubin Ultra chips, is delayed to 2028...

TrojPix Air-Gap Attack Uses Monitor Cables

Researchers at Shandong University have demonstrated a new covert data exfiltration technique called TrojPix.The...

Bitcoin Reclaims $63k as Crypto Market Sees July Reversal

Bitcoin (BTC) reclaimed $63,000 in early July 2026, signaling a market reversal after a...

Must Read

Tutorial: How to Buy a Domain Name Permanently? (Super Easy)

Are you ready to establish a permanent online presence and you want to buy a domain forever?In this tutorial, we'll show you how to...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading