The Reveal Platform
Intel Name: A cereal offender: analyzing the cornflake.v3 backdoor
Date of Scan: August 21, 2025
Impact: Medium
Summary: The report analyzes CORNFLAKE.V3, a backdoor malware with variants written in JavaScript and PHP, designed to retrieve and execute various payloads via HTTP, including shell commands, executables, and DLLs. It features host persistence through Windows registry Run keys and abuses Cloudflare Tunnels to proxy traffic to remote servers. CORNFLAKE.V3 also collects basic system information and communicates with command-and-control (C2) servers. This version builds upon CORNFLAKE.V2, adding persistence and expanded payload support. In contrast, the original CORNFLAKE, written in C, operated over TCP and acted solely as a downloader.
