UNC5518 Group Hacks Legitimate Sites with Fake Captcha to Deliver Malware

The financially motivated threat group UNC5518 has been infiltrating trustworthy websites to install ClickFix lures, which are misleading phony CAPTCHA pages, as part of a complex cyber campaign that has been monitored since June 2024.

These malicious pages trick users into executing downloader scripts that initiate infection chains, often leading to malware deployment by affiliated actors.

Mandiant Threat Defense has observed UNC5518 operating as an access-as-a-service provider, enabling groups like UNC5774 to exploit gained access for deploying advanced backdoors such as CORNFLAKE.V3.

This collaboration highlights the modular nature of modern threats, where initial access brokers facilitate deeper intrusions by specialized actors focused on financial gain through reconnaissance, credential theft, and lateral movement.

Technical Breakdown of CORNFLAKE.V3

The CORNFLAKE.V3 backdoor, attributed to UNC5774, represents an evolution from earlier variants, transitioning from C-based downloaders to JavaScript or PHP implementations that support HTTP-based command-and-control (C2) communications with XOR encoding.