UNC5518 Group Hacks Legitimate Sites with Fake Captcha to Deliver Malware

The financially motivated threat group UNC5518 has been infiltrating trustworthy websites to install ClickFix lures, which are misleading phony CAPTCHA pages, as part of a complex cyber campaign that has been monitored since June 2024.

These malicious pages trick users into executing downloader scripts that initiate infection chains, often leading to malware deployment by affiliated actors.

Mandiant Threat Defense has observed UNC5518 operating as an access-as-a-service provider, enabling groups like UNC5774 to exploit gained access for deploying advanced backdoors such as CORNFLAKE.V3.

This collaboration highlights the modular nature of modern threats, where initial access brokers facilitate deeper intrusions by specialized actors focused on financial gain through reconnaissance, credential theft, and lateral movement.

Technical Breakdown of CORNFLAKE.V3

The CORNFLAKE.V3 backdoor, attributed to UNC5774, represents an evolution from earlier variants, transitioning from C-based downloaders to JavaScript or PHP implementations that support HTTP-based command-and-control (C2) communications with XOR encoding.

Unlike CORNFLAKE.V2, which lacked persistence, V3 incorporates registry Run keys for longevity and handles diverse payloads including executables, DLLs, JavaScript, batch scripts, and PowerShell commands.

Infections typically begin with users interacting with ClickFix pages, which copy malicious PowerShell scripts to the clipboard via JavaScript, prompting execution through the Windows Run dialog.

This leads to downloading Node.js or PHP runtimes from legitimate sources, extracting them to %APPDATA%, and running embedded backdoor code.

Anti-VM checks in the dropper scripts detect sandboxes by analyzing memory usage, computer names, and manufacturers like QEMU, ensuring evasion in controlled environments.

Once active, CORNFLAKE.V3 performs host reconnaissance using tools like systeminfo, tasklist, and ARP, while attempting Kerberoasting for credential harvesting via Service Principal Names (SPNs).

In observed cases, it executed batch scripts for Active Directory queries counting domain computers, enumerating trusts, listing controllers, and identifying admin groups whether the host is domain-joined or not.

A PHP variant further refines this by using Cloudflare Tunnels for C2 proxying, random registry key names for persistence, and altered payload handling, such as saving DLLs as .png files and integrating Node.js downloads for JavaScript execution.

This variant also introduced commands like ACTIVE for heartbeats and AUTORUN for setup, demonstrating iterative improvements against detection.

Additional Payloads

Further analysis revealed CORNFLAKE.V3 deploying the WINDYTWIST.SEA backdoor, a C-based implant supporting TCP relaying, reverse shells, and command execution, configured with multiple C2 servers for resilience.

Process trees show explorer.exe spawning PowerShell, which in turn launches node.exe or php.exe, leading to reconnaissance and rundll32.exe execution of DLL payloads.

To counter these threats, organizations should disable the Windows Run dialog where feasible, conduct social engineering simulations, and implement robust logging for suspicious activities like PowerShell launching Node.js from %APPDATA%.

Detection queries in Google Security Operations target indicators such as unusual process launches and network connections to nodejs.org or windows.php.net.

In conclusion, this campaign underscores the risks of social engineering in delivering versatile malware, with UNC5518 and UNC5774 exemplifying threat actor symbiosis. Proactive monitoring and user education are critical to disrupting such chains.

Key Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!