Introduction
Today, we’re thrilled to sit down with Rupert Marais, our in-house security specialist with extensive expertise in endpoint and device security, cybersecurity strategies, and network management. With cybercriminals constantly evolving their tactics, Rupert offers a deep dive into the latest threats, including the deployment of the CORNFLAKE.V3 backdoor through deceptive social engineering methods like the ClickFix tactic. In this interview, we explore how these attacks work, the motivations behind threat actors, and practical steps organizations can take to defend themselves. Let’s get started with Rupert’s insights on this growing menace.
Can you walk us through what the CORNFLAKE.V3 backdoor is and how it stands out from its predecessors?
CORNFLAKE.V3 is a sophisticated backdoor that cybercriminals use to maintain access to compromised systems and execute a variety of malicious payloads. Unlike its earlier version, CORNFLAKE.V2, which was mainly a downloader, V3 has evolved with new capabilities like host persistence through the Windows Registry and support for a broader range of payload types, including executables, scripts, and more. This makes it far more versatile and dangerous. It’s a significant leap from the original C-based version as well, which was limited to running specific payloads and used simpler communication methods. V3’s ability to stick around on a system and adapt makes it a real challenge for defenders.
How does the ClickFix tactic work, and what makes it so effective at tricking users?
The ClickFix tactic is a clever social engineering scheme where attackers lure users on compromised or malicious websites into executing harmful PowerShell scripts. They often present fake CAPTCHA pages that prompt users to copy and paste a command into the Windows Run dialog box, which then downloads and runs the malicious code. It’s effective because it preys on familiarity—most people have encountered CAPTCHAs and don’t think twice about following instructions that seem routine. The simplicity of using a built-in Windows feature like the Run dialog also bypasses the need for complex exploits, making it a low-effort, high-reward strategy for attackers.
What can you tell us about how CORNFLAKE.V3 communicates with external servers and evades detection?
CORNFLAKE.V3 uses HTTP for command-and-control communication, often routing its traffic through Cloudflare tunnels to mask its origins. This setup helps attackers hide their infrastructure and blend malicious traffic with legitimate web activity, making it tough for security tools to flag anything suspicious. By proxying through a trusted service like Cloudflare, they create an additional layer of obscurity that complicates efforts to trace or block their activity. For security teams, this means traditional network monitoring might not catch the issue unless paired with advanced behavioral analysis or endpoint detection.
What kinds of threats do the payloads delivered by CORNFLAKE.V3 pose to organizations?
The payloads CORNFLAKE.V3 can execute are incredibly varied and dangerous, ranging from scripts to full executables. One notable example is WINDYTWIST.SEA, a backdoor that can relay traffic, execute commands, and even facilitate lateral movement within a network. This ability to spread internally is a huge concern because it can turn a single compromised device into a gateway for a broader breach. Other payloads focus on reconnaissance or credential theft, amplifying the risk of data loss or ransomware. For organizations, this means a single infection could spiral into a full-scale attack if not caught early.
Who are the primary threat actors behind these campaigns, and how do their roles differ?
We’re seeing groups like UNC5518, UNC5774, and UNC4108 involved in these campaigns. UNC5518 appears to operate as an access-as-a-service provider, focusing on gaining initial entry through tactics like ClickFix and then selling or sharing that access with other groups. UNC5774, a financially motivated actor, uses CORNFLAKE.V3 to deploy additional payloads for profit-driven schemes. Meanwhile, UNC4108’s motivations are less clear, but they’ve been observed using tools for remote access and persistence. The division of labor—where one group specializes in access and others in exploitation—makes these campaigns more efficient and harder to disrupt.
Why do you think access-as-a-service models are gaining traction among cybercriminals?
Access-as-a-service is becoming popular because it lowers the barrier to entry for many hacking groups. Not every threat actor has the skills or resources to breach a network from scratch, so buying access from a group like UNC5518 lets them focus on their specific goals, whether that’s deploying ransomware or stealing data. For the sellers, it’s a steady revenue stream with less risk since they’re not directly tied to the end-stage attack. This model creates a cybercrime ecosystem that’s tough to combat because disrupting one group doesn’t necessarily stop the others—it’s like cutting off one head of a hydra.
How are attackers initially drawing victims to these fake CAPTCHA pages?
Attackers often use tactics like SEO poisoning, where they manipulate search engine results to push malicious sites to the top of relevant searches, tricking users into clicking on them. They also leverage malicious ads that redirect users to these fake CAPTCHA pages. Both methods exploit trust—people generally assume search results or ads on legitimate platforms are safe. Once a user lands on the page, the social engineering kicks in with prompts that seem harmless but lead to executing malicious code. It’s a well-crafted chain that starts with everyday online behavior.
What strategies can organizations adopt to defend against ClickFix and other social engineering attacks?
Organizations need a multi-layered approach to combat tactics like ClickFix. First, consider disabling features like the Windows Run dialog box on systems where it’s not essential, as it’s a common entry point for these scripts. Regular training and simulation exercises are also critical—employees need to recognize suspicious prompts or unusual website behavior. On the technical side, robust logging and monitoring can help detect the execution of malicious payloads early on. Combining user awareness with strong endpoint protection and network visibility is the best way to reduce the risk of falling for these tricks.
What is your forecast for the evolution of social engineering tactics like ClickFix in the coming years?
I expect social engineering tactics like ClickFix to become even more sophisticated and tailored. Attackers will likely lean harder into personalization, crafting lures that mimic trusted brands or services specific to a user’s habits or industry. We might see deeper integration with legitimate platforms or technologies to further blur the line between safe and malicious content. As defenses improve, attackers will keep exploiting human psychology, finding new ways to manipulate trust. It’s a cat-and-mouse game, and staying ahead will require constant vigilance, better education, and smarter technology to predict and block these evolving threats.
