This analysis details a campaign involving two threat groups, UNC5518 and UNC5774, deploying the CORNFLAKE.V3 backdoor. UNC5518 compromises legitimate websites to serve fake CAPTCHA pages, luring visitors to execute a downloader script. UNC5774 then uses this access to deploy CORNFLAKE.V3, a sophisticated backdoor with variants in JavaScript and PHP. The malware collects system information, establishes persistence, and can execute various payloads including shell commands, executables, and DLLs. It communicates with command and control servers using HTTP and can abuse Cloudflare Tunnels for traffic proxying. The campaign also involves active directory reconnaissance and credential harvesting attempts via Kerberoasting.