A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor

### Executive summary Since June 2024 Mandiant has tracked UNC5518 using fake CAPTCHA ("ClickFix") pages to deliver downloader scripts that provide access-as-a-service; those access points have been used by financially motivated UNC5774 to deploy CORNFLAKE.V3, a JavaScript/PHP backdoor that supports persistence, multiple payload types, and abuse of Cloudflare Tunnels to proxy command-and-control communications.