Threat Report

A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor A detailed analysis of a campaign involving two threat groups deploying the CORNFLAKE.V3 backdoor.

Threat Overview

The recent threat report published by AlienVault on August 21, 2025, details an intricate cyber campaign orchestrated by two distinct threat groups: UNC5518 and UNC5774. This campaign involves the deployment of a sophisticated backdoor known as CORNFLAKE.V3. The malware is designed to infiltrate systems through compromised websites and execute various malicious activities.

UNC5518 initiates the attack by compromising legitimate websites, redirecting visitors to fake CAPTCHA pages that lure them into executing a downloader script. Once this initial access is established, UNC5774 takes over, deploying CORNFLAKE.V3. This backdoor comes in variants written in JavaScript and PHP, enabling it to collect system information, establish persistence, and execute diverse payloads such as shell commands, executables, and DLLs.

The malware communicates with command and control (C2) servers using HTTP and can abuse Cloudflare Tunnels for traffic proxying. Additionally, the campaign involves active directory reconnaissance and credential harvesting attempts via Kerberoasting, making it a multifaceted threat to organizational security.

Detailed Analysis

CORNFLAKE.V3 is a sophisticated backdoor that poses significant risks due to its advanced capabilities and stealthy operations. The malware’s ability to collect system information allows attackers to gain detailed insights into the compromised environment, facilitating further exploitation.

The use of JavaScript and PHP variants enables CORNFLAKE.V3 to operate across different platforms and environments, increasing its versatility and reach. By establishing persistence on infected systems, the backdoor ensures long-term access for the threat actors, allowing them to execute various malicious activities over extended periods.

One of the key features of CORNFLAKE.V3 is its ability to execute diverse payloads. This includes shell commands, executables, and DLLs, providing attackers with a wide range of options for compromising systems and exfiltrating data. The malware’s communication with C2 servers via HTTP adds an additional layer of complexity, making it challenging for security tools to detect and mitigate the threat.

The abuse of Cloudflare Tunnels for traffic proxying further enhances the stealthiness of CORNFLAKE.V3. By routing traffic through legitimate services, the malware can evade detection and maintain its presence on compromised networks undetected.

Active directory reconnaissance and credential harvesting via Kerberoasting are critical components of this campaign. These activities enable threat actors to map out the network infrastructure, identify high-value targets, and gain unauthorized access to sensitive systems and data.

Operational Security Measures

While CORNFLAKE.V3 implements various operational security measures, its sophisticated techniques make it a formidable adversary. The use of legitimate services for traffic proxying and the ability to execute diverse payloads highlight the need for advanced detection and mitigation strategies.

The malware’s stealthy operations and persistence mechanisms pose significant challenges for security analysts. Organizations must adopt proactive approaches to identify and neutralize such threats effectively.

Recommendations for Mitigation

To mitigate the risks associated with CORNFLAKE.V3, organizations should consider implementing the following measures:

• Network Segmentation: Divide the network into smaller segments to limit lateral movement and contain potential breaches. Implement strict access controls between segments to prevent unauthorized access.
• Regular Updates: Ensure all systems and software are up-to-date with the latest security patches. This includes firewalls, operating systems, and applications, addressing known vulnerabilities that can be exploited by malware like CORNFLAKE.V3.
• Intrusion Detection Systems: Deploy intrusion detection systems (IDS) to monitor network traffic for signs of malicious activity. IDS can help detect and alert on suspicious traffic patterns, enabling quick responses to potential threats.
• Endpoint Protection: Implement endpoint protection solutions to detect and block malware on individual devices. This helps prevent initial infections and limits the spread of malware within the network.
• Security Awareness Training: Provide regular security awareness training to employees to help them recognize and report potential security threats. Include phishing simulations, training on recognizing suspicious emails, and best practices for password security.
• Regular Backups: Maintain regular backups of critical data to ensure it can be restored in the event of a ransomware attack or data loss. Store backups offline or in separate network segments to prevent them from being encrypted or deleted by malware.
• Incident Response Plan: Develop and maintain an incident response plan to ensure quick and effective responses to security incidents. The plan should include steps for containing the threat, investigating the incident, and restoring affected systems.

By implementing these measures, organizations can significantly reduce the risk of falling victim to CORNFLAKE.V3 and other sophisticated malware threats.