Threat actors use the ClickFix social engineering tactic to deploy the CORNFLAKE.V3 backdoor, leveraging fake CAPTCHA pages and PowerShell scripts for initial access. This activity is part of an access-as-a-service scheme involving multiple threat groups and employs various payloads, including malware and backdoors like WINDYTWIST.SEA. #ClickFix #CORNFLAKEV3
Keypoints
- Threat actors utilize fake CAPTCHA pages and PowerShell scripts to gain initial access to systems.
- The CORNFLAKE.V3 backdoor supports executing payloads via HTTP and maintains persistence through registry modifications.
- Multiple threat groups, including UNC5774 and UNC4108, leverage this method for deploying diverse malware.
- Organizations are advised to disable the Windows Run dialog and enhance monitoring to mitigate these attacks.
- An additional USB drive campaign involves malware like PUMPBENCH and cryptocurrency miners such as XMRig.
Read More: https://thehackernews.com/2025/08/cybercriminals-deploy-cornflakev3.html