A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor

    Thursday, August 21, 2025 In: Threat Research Print

    Date: 08/21/2025

    Severity: Medium

    Summary

    The report analyzes CORNFLAKE.V3, a backdoor malware with variants written in JavaScript and PHP, designed to retrieve and execute various payloads via HTTP, including shell commands, executables, and DLLs. It features host persistence through Windows registry Run keys and abuses Cloudflare Tunnels to proxy traffic to remote servers. CORNFLAKE.V3 also collects basic system information and communicates with command-and-control (C2) servers. This version builds upon CORNFLAKE.V2, adding persistence and expanded payload support. In contrast, the original CORNFLAKE, written in C, operated over TCP and acted solely as a downloader.

    Indicators of Compromise (IOC) List

    URL/Domain

    varying-rentals-calgary-predict.trycloudflare.com

    dnsmicrosoftds-data.com

    windows-msg-as.live

    IP Address

    138.199.161.141

    159.69.3.151

    167.235.235.151

    128.140.120.188

    177.136.225.135

    Hash

    000b24076cae8dbb00b46bb59188a0da5a940e325eaac7d86854006ec071ac5b

a2d4e8c3094c959e144f46b16b40ed29cc4636b88616615b69979f0a44f9a2d1

14f9fbbf7e82888bdc9c314872bf0509835a464d1f03cd8e1a629d0c4d268b0c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "dnsmicrosoftds-data.com" or siteurl like "dnsmicrosoftds-data.com" or url like "dnsmicrosoftds-data.com" or domainname like "varying-rentals-calgary-predict.trycloudflare.com" or siteurl like "varying-rentals-calgary-predict.trycloudflare.com" or url like "varying-rentals-calgary-predict.trycloudflare.com" or domainname like "windows-msg-as.live" or siteurl like "windows-msg-as.live" or url like "windows-msg-as.live"

    Detection Query 2 :

    dstipaddress IN ("138.199.161.141","128.140.120.188","177.136.225.135","167.235.235.151","159.69.3.151") or srcipaddress IN ("138.199.161.141","128.140.120.188","177.136.225.135","167.235.235.151","159.69.3.151")

    Detection Query 3 :

    sha256hash IN ("000b24076cae8dbb00b46bb59188a0da5a940e325eaac7d86854006ec071ac5b","14f9fbbf7e82888bdc9c314872bf0509835a464d1f03cd8e1a629d0c4d268b0c","a2d4e8c3094c959e144f46b16b40ed29cc4636b88616615b69979f0a44f9a2d1")

    Reference:    

    https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor                      


    Tags

    MalwareBackdoorCORNFLAKE.V3DLL

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.