Today's Core Dump is brought to you by ThreatPerspective

Threat Intelligence

A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor


Conclusion


This investigation highlights the collaborative nature of modern cyber threats, where UNC5518 leverages compromised websites and deceptive ClickFix lures to gain initial access. This access is then utilized by other actors like UNC5774, who deploy versatile malware such as the CORNFLAKE.V3 backdoor. The subsequent reconnaissance and credential harvesting activities we observed indicate that the attackers intend to move laterally and expand their foothold in the environment.

To mitigate malware execution through ClickFix, organizations should disable the Windows Run dialog box where possible. Regular simulation exercises are crucial to counter this and other social engineering tactics. Furthermore, robust logging and monitoring systems are essential for detecting the execution of subsequent payloads, such as those associated with CORNFLAKE.V3.

Acknowledgements


Special thanks to Diana Ion, Yash Gupta, Rufus Brown, Mike Hunhoff, Genwei Jiang, Mon Liclican, Preston Lewis, Steve Sedotto, Elvis Miezitis and Rommel Joven for their valuable contributions to this blog post.

Detection Through Google Security Operations


For detailed guidance on hunting for this activity using the following queries, and for a forum to engage with our security experts, please visit our companion post on the Google Cloud Community blog.

Mandiant has made the relevant rules available in the Google SecOps Mandiant Frontline Threats curated detections rule set. The activity discussed in the blog post is detected in Google SecOps under the rule names:

  • Powershell Executing NodeJS

  • Powershell Writing To Appdata

  • Suspicious Clipboard Interaction

  • NodeJS Reverse Shell Execution

  • Download to the Windows Public User Directory via PowerShell

  • Run Utility Spawning Suspicious Process

  • WSH Startup Folder LNK Creation

  • Trycloudflare Tunnel Network Connections

SecOps Hunting Queries


The following UDM queries can be used to identify potential compromises within your environment.
Execution of CORNFLAKE.V3 Node.js

Search for potential compromise activity where PowerShell is used to launch node.exe from %AppData% path with the -e argument, indicating direct execution of a malicious JavaScript string.
metadata.event_type = "PROCESS_LAUNCH" principal.process.file.full_path = /powershell\.exe/ nocase target.process.file.full_path = /appdata\\roaming\\.*node\.exe/ nocase target.process.command_line = /"?node\.exe"?\s*-e\s*"/ nocase

Execution of CORNFLAKE.V3 PHP

Search for compromise activity where PowerShell is executing php.exe from %AppData% path. This variant is characterized by the use of the -d argument, executing a PHP script without a .php file extension, and passing the argument 1 to the PHP interpreter, indicating covert execution of malicious PHP code.

metadata.event_type = "PROCESS_LAUNCH" principal.process.file.full_path = /powershell\.exe/ nocase target.process.file.full_path = /appdata\\roaming\\.*php\.exe/ nocase target.process.command_line = /"?php\.exe"?\s*-d\s.*1$/ nocase target.process.command_line != /\.php\s*\s*/ nocase

CORNFLAKE.V3 Child Process Spawns

Search suspicious process activity where cmd.exe or powershell.exe are spawned as child processes from node.exe or php.exe when those executables are located in %AppData%.

metadata.event_type = "PROCESS_LAUNCH" principal.process.file.full_path =  /appdata\\roaming\\.*node\.exe|appdata\\roaming\\.*php\.exe/ nocase  target.process.file.full_path = /powershell\.exe|cmd\.exe/ nocase

Suspicious Connections to Node.js/PHP Domains

Search unusual network connections initiated by powershell.exe or mshta.exe to legitimate Node.js (nodejs.org) or PHP (windows.php.net) infrastructure domains.

metadata.event_type = "NETWORK_CONNECTION" principal.process.file.full_path = /powershell\.exe|mshta\.exe/ nocase  target.hostname = /nodejs\.org|windows\.php\.net/ nocase

Indicators of Compromise (IOCs)


A Google Threat Intelligence (GTI) collection of IOCs is available to registered users.

Host-Based Artifacts



Artifact
Description
MD5 Hash

C:\Users\<User>\AppData\Roaming\node-v22.11.0-win-x64\ckw8ua56.log
Copy of the CORNFLAKE.V3 (Node.js) sample used for persistence
04668c6f39b0a67c4bd73d5459f8c3a3

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater
Scheduled task that executes the CORNFLAKE.V3 (Node.js) sample
N/A

C:\Users\<User>\AppData\Roaming\php\config.cfg
CORNFLAKE.V3 (PHP) sample
bcdffaaf882582941af152d8028d1abe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\iCube
Scheduled task that executes the CORNFLAKE.V3 (PHP) sample
N/A

C:\Users\<User>\AppData\Roaming\Shift194340\78G0ZrQi.png
WINDYTWIST.SEA backdoor sample dropped by CORNFLAKE.V3 (PHP)
ec82216a2b42114d23d59eecb876ccfc









Network-Based Artifacts



IP Address
Description

138.199.161[.]141
IP address associated with UNC5518 used to distribute CORNFLAKE.V3 (Node.js) malware

159.69.3[.]151
CORNFLAKE.V3 (Node.js) C2 server associated with UNC5774

varying-rentals-calgary-predict.trycloudflare[.]com
CORNFLAKE.V3 (PHP) C2 server associated with UNC5774

dnsmicrosoftds-data[.]com

windows-msg-as[.]live
Domains associated with UNC5518 used to distribute CORNFLAKE.V3 (PHP) malware

167.235.235[.]151

128.140.120[.]188

177.136.225[.]135
WINDYTWIST.SEA backdoor C2 server addresses associated with UNC5774




















Published: 2025-08-20T14:00:00











© Segmentation Fault . All rights reserved.

Privacy | Terms of Use | Contact Us