{
	"id": "a2331671-4e22-401f-a515-05ad5c6483c5",
	"created_at": "2026-04-06T00:10:48.663154Z",
	"updated_at": "2026-04-10T03:20:21.695853Z",
	"deleted_at": null,
	"sha1_hash": "139d842dc33e6e1c0a66bfb486ce2c4a7702a439",
	"title": "3CX Desktop App Compromised (CVE-2023-29059) | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60125,
	"plain_text": "3CX Desktop App Compromised (CVE-2023-29059) | FortiGuard Labs\r\nBy FortiGuard Labs\r\nPublished: 2023-03-30 · Archived: 2026-04-05 20:21:58 UTC\r\nThis is a developing story. Please check back for the latest updates from FortiGuard Labs. For a report of this event, please\r\nvisit our Threat Signal Reports page.\r\nOn March 29, a number of reports surfaced that a legitimate signed file from VoIP/IP PBX solutions provider 3CX\r\n(3CXDesktop App) had been trojanized due to a code-level compromise. This is the latest high-profile supply chain attack,\r\nbeginning with SolarWinds and Kaseya a few years ago. This issue has been assigned CVE-2023-29059.\r\n3CXDesktop App is a multi-platform softphone application for desktops (Linux, MacOS, and Windows). The 3CXDesktop\r\nApp allows users to interact via chat, messaging, video, and voice. Initial reports suggested that all platforms of the\r\n3CXDesktop App were compromised. But at the time of writing, it appears that only the Electron framework versions of\r\nMacOS (versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416) and Windows (versions 18.12.407 and 18.12.416) of\r\nthe 3CX Desktop App are affected.  3CX has stated that they are working on a new version of the Windows app and have\r\nrevoked the certificate for the previous version. Initially, there was some confusion about whether the MacOS version was\r\naffected, as the CEO of 3CX issued a statement that only the Windows version of the app was affected. However, this\r\nstatement was later retracted. Currently, no status on the availability of the MacOS version has been provided at the time of\r\nwriting.\r\nThe company’s website boasts that 3CX is available in over 190 countries worldwide, with over 12 million daily users and\r\na 600,000-plus customer base. Companies listed on its website include high-profile organizations in the automobile,\r\naerospace, finance, food and beverage, government, hospitality, and manufacturing sectors, to name a few.\r\nThe trojanized 3CX Desktop App is part of a multi-stage attack that utilizes a malicious sideloaded DLL (ffmpeg.dll -\r\nSHA256: 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896) that contains instructions and a\r\npayload within another DLL via an encrypted blob (d3dcompiler_47.dll – SHA256:\r\n11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03). This blob also contains the shellcode, which\r\ntries to pull ICO files from GitHub (currently down) that contain various URIs for download, where the payload is\r\nultimately loaded and installed to the target environment. However, we could not confirm further details as the repository is\r\ncurrently down.\r\nDiscovery of Two 3CXDesktopApp.exes – but Only One Sideloads the Malicious DLL\r\nLooking at the Windows installer (SHA256:aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868), it\r\ndrops TWO 3CXDesktopApp.exe files.\r\nThe SECOND (inside app-18.12.407 folder) is the one that sideloads the ffmpeg.dll file.\r\nC:\\Users\\Admin\\AppData\\Local\\Programs\\3CXDesktopApp\\3CXDesktopApp.exe\r\nFilesize: 541KB\r\nMD5: 08d79e1fffa244cc0dc61f7d2036aca9\r\nhttps://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised\r\nPage 1 of 5\n\nSHA1: 480dc408ef50be69ebcf84b95750f7e93a8a1859\r\nSHA256: 54004dfaa48ca5fa91e3304fb99559a2395301c570026450882d6aad89132a02\r\nC:\\Users\\Admin\\AppData\\Local\\Programs\\3CXDesktopApp\\app-18.12.407\\3CXDesktopApp.exe\r\nFilesize: 142MB\r\nMD5: bb915073385dd16a846dfa318afa3c19\r\nSHA1: 6285ffb5f98d35cd98e78d48b63a05af6e4e4dea\r\nSHA256: dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc\r\nHeatmap - Focus on Europe and North America\r\nBelow is a heat map based on recent connections to known malicious domains associated with this attack that FortiGuard\r\nLabs observed at the time of writing (March 31st, 2023):\r\nBased on our telemetry, we see that the top 10 countries highlight the geographic spread of victim machines calling out to\r\nknown actor controlled infrastructure; which appears to target European and North American victims more:\r\nThe following chart reveals a regional breakdown that further proves this point as close to 80 percent of the connections to\r\nthe attacker controlled infrastructure are concentrated in Europe and North America. This may indicate that the threat actor\r\nis mainly targeting enterprises in those regions – however, this is uncertain. This could be indicative of 3CX product's\r\ngeographic customer base - including the possibility of various multinational corporations operating inside those regions.\r\nWhat Mitigations Are Available?\r\n3CX suggests that users migrate to the PWA app in the meantime. The PWA app is web-based and is unaffected by the\r\nsupply chain attack. Customers on 3CXHosted and StartUP are not affected. Additional details on updates and best\r\npractices can be found here. FortiGuard Labs suggests that all older variants of the 3CX Desktop App be discontinued\r\nimmediately until newer unaffected versions are available.\r\nWhat is the Status of Coverage?\r\nFortinet Customers running the latest definitions are protected by the following AV signatures:\r\nW64/Agent.CFM!tr\r\nOSX/Agent.CN!tr\r\nRiskware/Sphone_XC3\r\nAll known network IOCs related to this attack are blocked by the WebFiltering client. For a detailed overview of all\r\nFortinet protections for this event, please visit our Outbreak Alerts page.\r\nhttps://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised\r\nPage 2 of 5\n\nIndicators of Compromise (IOCs) Hash\r\n \r\nDetections\r\naa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 SHA2 Riskware/Sphone_XC3\r\n59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 SHA2 Riskware/Sphone_XC3\r\n92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61 SHA2 Riskware/Sphone_XC3\r\n5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290 SHA2 OSX/Agent.CN!tr\r\nb86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb SHA2 Riskware/Sphone_XC3\r\ne6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec SHA2 Riskware/Sphone_XC3\r\n11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03 SHA2 W64/Agent.CFM!tr\r\n7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896 SHA2 Riskware/Sphone_XC3\r\nc485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02 SHA2 Riskware/Sphone_XC3\r\nb5e318240401010e4453e146e3e67464dd625cfef9cd51c5015d68550ee8cc09 SHA2 W64/Agent.CFM!tr\r\naa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973 SHA2 W64/Sphone_XC3.INFS!tr.dldr\r\na64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67 SHA2 Riskware/Sphone_XC3\r\ndde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc SHA2 Riskware/Sphone_XC3\r\nfad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405 SHA2 Riskware/Sphone_XC3\r\nhttps://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised\r\nPage 3 of 5\n\nFortiEDR detects installation of the 3CX Desktop App with a dynamic code exception event:\r\nFortiGuard Labs has released a new Application Control signature that will detect attempted 3CX access activity which was\r\nreleased in definitions set (23.528):\r\n3CX\r\nRegarding FortiAnalyzer, a knowledge base article that contains detailed insight on how to detect activities related to the\r\n3CX Supply Chain attack can be found here.\r\nNetwork IOCs\r\nakamaicontainer[.]com\r\nakamaitechcloudservices[.]com\r\nazuredeploystore[.]com\r\nazureonlinecloud[.]com\r\nazureonlinestorage[.]com\r\ndunamistrd[.]com\r\nglcloudservice[.]com\r\njournalide[.]org\r\nmsedgepackageinfo[.]com\r\nmsstorageazure[.]com\r\nmsstorageboxes[.]com\r\nofficeaddons[.]com\r\nofficestoragebox[.]com\r\npbxcloudeservices[.]com\r\npbxphonenetwork[.]com\r\npbxsources[.]com\r\nqwepoi123098[.]com\r\nsbmsa[.]wikisourceslabs[.]com\r\nvisualstudiofactory[.]com\r\nzacharryblogs[.]com\r\nazureonlinestorage.com\r\nconvieneonline[.]com\r\nhttps://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised\r\nPage 4 of 5\n\nSoyoungjun[.]com\r\nSource: https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised\r\nhttps://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised"
	],
	"report_names": [
		"3cx-desktop-app-compromised"
	],
	"threat_actors": [],
	"ts_created_at": 1775434248,
	"ts_updated_at": 1775791221,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/139d842dc33e6e1c0a66bfb486ce2c4a7702a439.pdf",
		"text": "https://archive.orkl.eu/139d842dc33e6e1c0a66bfb486ce2c4a7702a439.txt",
		"img": "https://archive.orkl.eu/139d842dc33e6e1c0a66bfb486ce2c4a7702a439.jpg"
	}
}