Listen to this Post
Introduction: Hidden Threats Behind ClickFix
Cybersecurity experts are raising alarms over a new wave of sophisticated attacks exploiting a deceptive tactic known as ClickFix. This method is being used to deliver a powerful backdoor malware called CORNFLAKE.V3. Threat actors are increasingly monetizing initial system access through fake CAPTCHA pages and social engineering schemes, putting organizations and individuals at serious risk.
ClickFix and CORNFLAKE.V3: The Attack Uncovered
Researchers at Mandiant, a Google-owned cybersecurity firm, have identified a campaign tracked as UNC5518. This campaign leverages ClickFix—a tactic where users are lured into copying and executing malicious PowerShell scripts via the Windows Run dialog. Once executed, these scripts initiate a multi-stage infection, eventually installing the CORNFLAKE.V3 backdoor.
The malware is versatile, supporting payload execution via HTTP, including executables, DLLs, JavaScript files, batch scripts, and PowerShell commands. It also collects basic system information and sends it to external servers, often masked through Cloudflare tunnels to avoid detection.
Multi-Stage Exploitation by Multiple Groups
UNC5518’s access is used by at least two separate threat groups:
UNC5774: Financially motivated, uses CORNFLAKE.V3 to deploy additional malicious payloads.
UNC4108: Motivation unknown, deploys tools like VOLTMARKER and NetSupport RAT.
The infection often begins when victims encounter fake CAPTCHA verification pages, typically appearing through SEO-poisoned search results or malicious advertisements. Users unknowingly run malicious PowerShell commands, triggering the next-stage dropper payload from a remote server.
CORNFLAKE.V3 Capabilities and Persistence
CORNFLAKE.V3 is an upgraded version of CORNFLAKE.V2. Unlike its predecessor, which acted solely as a downloader, V3 supports host persistence via Windows Registry changes and delivers multiple payloads:
Active Directory reconnaissance tools
Kerberoasting scripts for credential harvesting
WINDYTWIST.SEA backdoor for reverse shell access, TCP traffic relays, and lateral movement
USB-Based Cryptocurrency Mining Attacks
In a separate but related campaign, threat actors continue using infected USB drives to spread malware and deploy cryptocurrency miners, including XMRig. The infection chain involves:
Execution of malicious Windows shortcuts (LNK files) on USB drives
Launching Visual Basic scripts and batch files
Deployment of a series of malware components like DIRTYBULK, CUTFAIL, HIGHREPS, and PUMPBENCH
PUMPBENCH specifically enables reconnaissance, remote access, and cryptocurrency mining while propagating the infection through connected USB drives.
Mitigation Strategies
Mandiant advises organizations to disable the Windows Run dialog where feasible, implement rigorous simulation exercises, and maintain strong logging and monitoring systems to detect early signs of malware execution and lateral movement.
What Undercode Say: Deep Analysis 🕵️♂️
ClickFix demonstrates how simple social engineering can become the gateway for highly sophisticated malware campaigns. By exploiting user trust and leveraging malicious scripts disguised as legitimate CAPTCHAs, attackers bypass conventional defenses. CORNFLAKE.V3’s evolution from a basic downloader to a persistent, multi-payload backdoor highlights a concerning trend in malware sophistication.
The use of PowerShell scripts and remote dropper payloads allows attackers to evade detection and conduct reconnaissance, credential harvesting, and lateral network movement. The integration of Cloudflare tunnels for command-and-control traffic further complicates detection by conventional network security systems.
Multiple threat groups exploiting the same initial access vector exemplify the “access-as-a-service” model, where initial compromise is monetized by other criminal entities. This underlines the urgent need for continuous threat intelligence sharing and proactive monitoring of web interactions.
USB-based infection campaigns, like those distributing PUMPBENCH and XMRig, underscore the persistence of low-tech but highly effective attack methods. Even in an era dominated by advanced persistent threats (APTs), simple hardware-based propagation remains a viable risk.
Analytically, the dual-pronged attack vector—ClickFix web lures and USB drive infections—creates overlapping risk domains. Organizations must consider not just network perimeter defenses but endpoint vigilance, user training, and strict control over removable media.
Additionally, the malware chain demonstrates modular design, allowing attackers to adapt payloads dynamically, integrate third-party libraries, and maintain persistence across reboots. This modularity complicates signature-based detection and increases the risk of long-term undetected compromise.
From an operational standpoint, the emphasis on registry-based persistence, lateral movement, and remote shell capabilities makes network segmentation and privilege management critical defensive measures. These attacks stress-test incident response protocols and highlight the importance of multi-layered defense strategies.
In summary, the threat landscape is evolving toward hybrid attacks combining sophisticated social engineering, remote payload delivery, and hardware-assisted propagation. Defensive strategies must therefore be equally adaptive, combining human vigilance, automated monitoring, and proactive threat hunting.
Fact Checker Results ✅❌
✅ CORNFLAKE.V3 is a multi-stage backdoor leveraging PowerShell and HTTP-based payloads.
✅ Threat actors are using both ClickFix web lures and infected USB drives to deploy malware.
❌ There is no evidence that CORNFLAKE.V3 is self-propagating without user interaction; human action is required to trigger execution.
Prediction 🔮
Given the evolution of CORNFLAKE.V3 and the widespread use of ClickFix, we predict an increase in hybrid malware campaigns combining web-based social engineering and physical media infections. Organizations ignoring endpoint monitoring and user awareness are likely to see more financially motivated and credential-harvesting attacks in the coming months. Moreover, cryptocurrency miners exploiting USB propagation could become more sophisticated, potentially targeting enterprise networks for sustained mining operations. 💰⚠️
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.github.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
