Executive Summary

This document presents the results of a targeted threat hunt conducted in search of tactics, techniques, and procedures (TTPs) associated with the CORNFLAKE.V3 backdoor. During the investigation, a backdoor with remote code execution capabilities was discovered; however, its direct connection to CORNFLAKE.V3 remains unconfirmed. The report details the hunting process, describes how the newly identified backdoor achieves persistence and remote access, and provides guidance to bolster defenses against similar threats, regardless of attribution.

1. Intel Review & Hunt Initiation

• Date: August 26th, 2025
• Intel Source: Internal Threat Intelligence Bulletin – “CORNFLAKE.V3 Backdoor” (Google Cloud Blog)

Summary of Threat:

The bulletin described the CORNFLAKE.V3 backdoor as an advanced threat identified in recent campaigns (notably, the backdoor installed after ClickFix is successful), frequently delivered through potentially unwanted applications (PUAs) or malware droppers. Notable behaviors included:

• Deployment of a portable Node.js runtime or PHP runtime in user profile directories such as %APPDATA%\Roaming\.
• Execution of high-entropy JavaScript or PHP payloads from these directories.
• Beaconing to attacker-controlled domains via HTTPS POST, using XOR+Base64 obfuscation.
• Potential registry-based persistence using misleading names like “ChromeUpdater” or “iCube”.
• Ability to run operating system commands and write to the registry remotely.

Hunt Hypothesis:

Given that the CORNFLAKE.V3 backdoor exploits portable Node.js in %APPDATA%, the hunt team hypothesized that searching for Node.js executions originating from roaming profiles would surface evidence of active infections or related loader activity.

Initial hunting query used:

The following query was applied to hunt for indicators of the CORNFLAKE.V3 backdoor:

event.type = ‘Process Creation’

and src.process.name = ‘node.exe’

and src.process.image.path contains:anycase ‘\AppData\Roaming\’

Objective:

The goal in this phase is to pinpoint Node.js processes launched from userland directories, then correlate each instance with its associated scripts, outbound connections, and persistence artifacts.

2. Discovery of Beaconing Activity

Initial Findings:

The hunting query surfaced several instances of node.exe processes running from atypical directories, notably:

C:\Users\\AppData\Roaming\NTlSEQj6eU99K\node.exe

Command-Line Analysis:

A closer look at the src.process.cmdline field revealed the Node.js executable was launching a high-entropy JavaScript file with suspicious parameters:

• “C:\Users\\AppData\Roaming\NTlSEQj6eU99K\node.exe”
• “C:\Users\\AppData\Roaming\NTlSEQj6eU99K\NTgSEQj6eU99K.js”
• “api.k2ioeasm874fnacr9x.com”
• “87e7d754-e1b8-4f2d-a32c-18806904baed”
• “HkQkoJeJ9DK”
• “HRQkoJeJ9DK”
• “HygLkoJeJ9DK”

Parent Process Evidence:

Process lineage indicated this activity originated from the AllManualsReader application:

• “C:\Windows\System32\cmd.exe” /C start “” /min
• “C:\Users\\AppData\Local\Programs\AllManualsReader\node\node.exe”
• “C:\Users\\AppData\Local\Programs\AllManualsReader\2d4d7602-8032-4207-a03f-be08e68d1094.js”

Key observations:

• The parent process was a Node.js binary packaged within the AllManualsReader program directory.
• The initial JavaScript file (2d4d7602-8032-4207-a03f-be08e68d1094.js) functioned as a loader, spawning a secondary portable Node.js runtime from %APPDATA%\Roaming\NTlSEQj6eU99K\ to execute the obfuscated payload (NTgSEQj6eU99K.js).
• This chain of execution establishes AllManualsReader as the delivery mechanism for the backdoor.

Beaconing Pattern:

Reviewing EDR telemetry and DNS logs, analysts confirmed repeated lookups to api.k2ioeasm874fnacr9x[.]com originating from the affected endpoint. Beaconing activity was consistent and ongoing for several weeks—beginning at installation—demonstrating persistent C2 communication. These queries occurred at regular intervals and were independent of user activity, a hallmark of automated beaconing. No sanctioned business applications were found contacting this domain.

Variant-Specific Findings:

Although AllManualsReader is present in other environments, only the installation observed on exhibited this backdoor behavior. This suggests that this version was specifically repackaged with malicious components—not merely a generic PUA installation.

Additional Dropped Files:

• bat — Standard Node.js environment setup script.
• js — Obfuscated payload (for analysis, see Section 3).

Preliminary Assessment:

This activity was not attributable to a standard AllManualsReader deployment. Instead, a tampered variant was used to install both a custom Node.js runtime and the CORNFLAKE.V3 backdoor, enabling persistent connections to attacker infrastructure.

3. Technical Analysis of the Backdoor Payload

A thorough automated and manual evaluation of the JavaScript payload executed by the portable Node.js runtime has revealed clear indicators consistent with the behavior of a malware dropper and backdoor installer.

Key Behaviors Identified:

Command-and-Control (C2) Communication

• Establishes connections with remote command-and-control servers (e.g., api.nonexistanturl.com; with observed traffic redirected to api.k2ioeasm874fnacr9x[.]com) for the purpose of command exchange and data transmission.
• Utilizes a combination of XOR-based encryption and Base64 encoding to obfuscate transferred data.
• Implements randomization of file names, directories, and UUID values in communications to evade detection.

System Profiling

• Gathers host-specific identifiers such as the Machine GUID from the Windows Registry.
• Forwards these details to the C2 server during the initial handshake, facilitating unique identification of affected hosts.

Payload Acquisition and Deployment

• Downloads a ZIP archive from the C2 infrastructure, extracts its contents, and deploys a secondary Node.js script within the user’s %APPDATA% directory.
• Copies the local Node.js runtime alongside the deployed script to ensure standalone execution regardless of external dependencies.

Persistence Mechanism

• Creates a batch file in the %TEMP% directory to programmatically establish persistence using Windows Task Scheduler.
• Leverages an XML task definition from %TEMP% to create a Scheduled Task with a randomly generated name, configured to execute the installed Node.js script every four hours under the SYSTEM account.
• This design enables continued operation across user logoffs and system reboots.

Observed Persistence Artifacts (Host Telemetry):

`cmd.exe /d /s /c “%TEMP%\b953136b-ac73-4dab-bc62-e1e2de519a6b.bat”`

`schtasks /Create /tn MQQkoJeJ9DK /xml “%TEMP%\4f7358f9-23b4-4c1f-b428-57d593f0eb7c.xml”`

• The batch file is launched by a Node.js process embedded within the PUA’s program directory, executing a randomized loader script before establishing the scheduled task.

Evasion and Cleanup Strategies

• Employs encryption, code obfuscation, and filename randomization to hinder investigative analysis.
• Eliminates temporary files and installation artifacts post-deployment (including those staged in %TEMP%) to reduce forensic visibility.

Indicators of Malicious Activity

• Execution without user consent or legitimate administrative authorization.
• Absence of documentation, safeguards, or valid application logic to justify the described behaviors.
• Attack methodology aligns with known tactics utilized by malware droppers to maintain persistence and facilitate remote access.

Assessment:

The payload executes two primary functions:

• Initial Loader: Establishes persistence through scheduled tasks generated via BAT/XML in %TEMP%, ensuring backdoor activity persists after system restarts.
• Backdoor Operation: Maintains an active C2 link to enable remote tasking and subsequent payload delivery.

Attack Chain Overview

The diagram below depicts the complete lifecycle of the malicious operation, tracing its progression from initial exposure through to sustained command-and-control beaconing and the establishment of persistence mechanisms.

[User visits e-commerce site (Temu) → Malvertising event]

│
▼

[User downloads & runs AllManualsReader (packed variant)]

│
▼

[AllManualsReader bundled Node.js executes loader JS] “…\AllManualsReader\node\node.exe”
“…\AllManualsReader\<random-guid>.js”

│
▼

[Loader drops/uses portable Node.js under %APPDATA%\<random>\] and executes obfuscated backdoor JS with C2 args

│
▼

[C2 interaction]

– Sends MachineGuid & system info
– XOR+Base64 obfuscated traffic
– Retrieves ZIP / secondary script

│
▼

[Persistence staging via BAT (from %TEMP%)] cmd.exe /d /s /c  “%TEMP%\<random-guid>.bat”

│
▼

[BAT creates Scheduled Task] schtasks /Create /tn <random-name> /xml “%TEMP%\<random-guid>.xml”
↳ Task runs the installed Node.js script from %APPDATA%
↳ Runs as SYSTEM on a 4-hour interval

│
▼

[Sustained activity]

– Recurring execution via Scheduled Task
– Ongoing DNS/HTTPS beacons to C2
– Cleanup of temporary files for evasion

Key Notes:

Initial Access Vector: Malicious ad on Temu led to AllManualsReader download.

Variant Specificity: Packed AllManualsReader with backdoor code, unlike benign versions elsewhere.

Persistence: Uses SYSTEM-level Scheduled Task for resilience.

Evasion: Random filenames, encryption, and post-install cleanup.

Beaconing: Continuous regular intervals since installation, not user-initiated.

5. Incident Response Actions

Upon confirmation of malicious activity, threat hunting and incident response teams coordinated to contain and remediate the impacted endpoint. Actions included:

• Containment: The endpoint was isolated from the network to halt further C2 communications and payload delivery. The malicious C2 domain (api.k2ioeasm874fnacr9x[.]com) was blocked at both the network perimeter and DNS filtering layers.
• Eradication: The compromised AllManualsReader application was uninstalled. The secondary portable Node.js runtime and associated backdoor script directory were removed from %APPDATA%. The Windows Scheduled Task running the malicious script as SYSTEM was deleted, along with any residual files such as temporary archives and batch scripts (nodevars.bat).
• Verification: Follow-up EDR sweeps were performed to confirm the absence of further persistence mechanisms, including registry keys and services. The environment was checked for additional instances of AllManualsReader matching the malicious variant. Network and DNS telemetry were monitored for recurring beaconing activity.
• Recovery: The endpoint was reconnected to the network only after a thorough confirmation that the threat had been removed, and normal operations resumed with enhanced monitoring safeguards.
• Preventative Measures: Hunting queries were updated to flag future appearances of AllManualsReader for review. The Temu domain was also recommended to be added to the blocklist. Application control policies were enforced to restrict execution of portable runtimes from user profile directories.

Outcome:

After a thorough investigation, the malicious backdoor was eliminated before it could cause any damage. All persistence mechanisms were dismantled, and the backdoor was completely eradicated from the affected endpoint. No further C2 activity has been observed following remediation.

Sample Analysis References

https://www.virustotal.com/gui/file/bcce150b51f41e0deea7b1f32dccd13dee170c97e1a94dda654ca186305b76e2

https://any.run/report/02c467202591f075924d4cdb469ed88150e4ea961d5290117f2ee9ff3df2e4ed/2a36060f-6b17-4baa-8cbf-617393de59f8