Cybercriminals Utilize ClickFix Tactic and Fake CAPTCHA Pages to Distribute CORNFLAKE.V3 Backdoor

August 21, 2025
Malware / Cryptocurrency

Threat actors have been observed employing the ClickFix social engineering tactic to disseminate a versatile backdoor known as CORNFLAKE.V3. Google-owned Mandiant reported this activity, identified as UNC5518, as part of an access-as-a-service scheme that utilizes fake CAPTCHA pages to entice users into granting initial system access, which is subsequently monetized by other threat groups. “The initial infection method, referred to as ClickFix, involves tricking users on compromised websites into copying and executing a malicious PowerShell script through the Windows Run dialog,” Google detailed in a report released today. Access provided by UNC5518 is believed to be exploited by at least two distinct hacking groups, UNC5774 and UNC4108, to launch a multi-stage infection process and introduce additional payloads. UNC5774, another financially motivated group, employs CORNFLAKE to deploy various subsequent payloads. UNC4108, also a threat actor…

Cybercriminals Exploit ClickFix Strategy to Distribute CORNFLAKE.V3 Backdoor via Fake CAPTCHA Pages

On August 21, 2025, cybersecurity experts reported a notable tactic employed by cybercriminals involving the deployment of a versatile backdoor, known as CORNFLAKE.V3, through a method termed ClickFix. This strategy was detailed by Mandiant, a subsidiary of Google, which classified the activity under the moniker UNC5518. This operation is part of a broader access-as-a-service scheme, where adversaries utilize fraudulent CAPTCHA pages to entice users into inadvertently granting access to their systems, subsequently monetized by various hacking factions.

According to Google’s report, the ClickFix infection vector primarily targets users visiting compromised sites. Upon accessing these malicious platforms, victims are encouraged to download and execute a harmful PowerShell script via the Windows Run dialog box. This approach not only exploits human psychology but also showcases a sophisticated level of social engineering, highlighting the risks associated with online interactions.

The initial access acquired by UNC5518 has reportedly been exploited by at least two distinct hacking groups: UNC5774 and UNC4108. These adversaries leverage the access to orchestrate a multi-stage infection process, introducing additional malicious payloads. Notably, UNC5774, identified as financially driven, employs the CORNFLAKE backdoor to facilitate the deployment of various subsequent threats, while UNC4108 has a separate operational agenda tied to its own nefarious goals.

Analyzing this incident through the lens of the MITRE ATT&CK Matrix reveals potential tactics and techniques employed during the attack. The ClickFix strategy clearly falls under the “Initial Access” tactic, where adversaries manipulate user behavior to infiltrate systems. This method integrates social engineering techniques along with potential execution vulnerabilities that can be capitalized upon within the Windows operating environment. Furthermore, the ongoing manipulation and exploitation of access might suggest efforts aimed at establishing persistence and privilege escalation within compromised networks.

Given the intricacies of modern cyber threats, businesses must remain vigilant against such sophisticated tactics. The use of deceptive methods like fake CAPTCHA pages is becoming increasingly prevalent, serving as a reminder that maintaining cybersecurity hygiene is more critical than ever. Organizations are encouraged to educate their employees about these risks and to implement robust security measures to mitigate potential breaches.

As the landscape of cybercrime continues to evolve, understanding the methodologies behind attacks like those orchestrated by UNC5518 is essential for business owners. By staying informed and proactive, organizations can better safeguard their systems against the growing threats posed by well-organized cybercriminals. In the face of such sophisticated strategies, collaboration between security professionals and stakeholders is imperative to navigate the complexities of the cybersecurity terrain effectively.

Source link

Related Posts

Remote Code Execution Risks Discovered in Commvault: Pre-Auth Exploit Chains Identified

August 21, 2025
Category: Vulnerability / Software Security

Commvault has issued updates to address four critical security vulnerabilities that could enable remote code execution on affected instances. The identified vulnerabilities arise in Commvault versions prior to 11.36.60, detailed as follows:

  • CVE-2025-57788 (CVSS score: 6.9): This vulnerability in a known login mechanism permits unauthenticated attackers to execute API calls without needing user credentials.

  • CVE-2025-57789 (CVSS score: 5.3): A flaw during the setup process allows remote attackers to exploit default credentials for administrative access before the first admin login.

  • CVE-2025-57790 (CVSS score: 8.7): A path traversal vulnerability enables remote attackers to gain unauthorized file system access, leading to potential remote code execution.

  • CVE-2025-57791 (CVSS score: 6.9): A vulnerability that allows attackers to inject or manipulate command-line arguments passed to internal components, resulting in further exploitation.

Former Developer Sentenced to Four Years for Sabotaging Ohio Employer with Kill-Switch Malware

A 55-year-old Chinese national has received a four-year prison sentence and three years of supervised release for deploying custom malware that targeted his former employer’s network. Davis Lu, 55, of Houston, Texas, was found guilty in March 2025 of intentionally damaging protected computers. He was arrested in April 2021 for misusing his position as a software developer to run malicious code on the company’s servers. While the company’s name was not disclosed, it has been identified as Eaton Corporation, a multinational power management firm based in Beachwood, Ohio. “The defendant violated his employer’s trust, using his technical expertise to disrupt network operations and causing significant financial losses to a U.S. company,” stated Acting Assistant Attorney General M…

INTERPOL Foils Cybercrime Network: 1,209 Arrested Across 18 African Nations in Major Operation

On August 22, 2025, INTERPOL revealed that law enforcement agencies from 18 African countries have apprehended 1,209 cybercriminals responsible for targeting 88,000 victims. The coordinated effort recovered $97.4 million and dismantled over 11,432 malicious operations, highlighting the widespread nature of cybercrime and the critical need for international collaboration. This operation, part of the ongoing initiative known as Operation Serengeti, spanned from June to August 2025 and aimed at combating serious offenses such as ransomware, online scams, and business email compromises. The first wave of arrests took place late last year. Notably, the operation led to the closure of 25 illegal cryptocurrency mining centers in Angola, involving 60 Chinese nationals in the fraudulent scheme. Authorities also identified and seized 45 illegal power stations, alongside mining and IT infrastructure valued at over $37 million, designated for government use.

Chinese Hackers Murky Panda, Genesis, and Glacial Panda Intensify Cloud and Telecom Espionage Efforts

August 22, 2025
Cloud Security / Vulnerability

Cybersecurity experts are alerting the public to the growing threat posed by the China-linked cyber espionage group known as Murky Panda. This group is employing trusted cloud relationships to infiltrate enterprise networks. According to a report from CrowdStrike, “The adversary has demonstrated a significant capacity to rapidly exploit N-day and zero-day vulnerabilities, often gaining initial access by targeting internet-facing devices.” Murky Panda, previously recognized as Silk Typhoon (and formerly Hafnium), gained notoriety for its exploitation of Microsoft Exchange Server vulnerabilities in 2021. Their attacks have primarily focused on government, technology, academic, legal, and professional services sectors in North America. Earlier this March, Microsoft revealed the threat actor’s evolving strategies, particularly their focus on the IT supply chain to gain entry into corporate networks.