{
	"id": "8e1a3219-1f4c-41a2-9dbe-188e25e20173",
	"created_at": "2026-04-06T00:12:33.994743Z",
	"updated_at": "2026-04-10T13:12:01.749559Z",
	"deleted_at": null,
	"sha1_hash": "202616d52aa407a17de3fe3fbfa186798fc190fc",
	"title": "Splunk Insights: Investigating the 3CXDesktopApp Supply Chain Compromise | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6628429,
	"plain_text": "Splunk Insights: Investigating the 3CXDesktopApp Supply Chain\r\nCompromise | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2023-03-31 · Archived: 2026-04-05 21:47:55 UTC\r\nCrowdStrike announced on 3/29/2023 that an active intrusion campaign was targeting 3CX customers utilizing a\r\nlegitimate, signed binary, 3CXDesktopApp (CISA link). As the investigations and public information came out\r\npublicly from vendors all across the spectrum, C3X customers of all sizes began investigating their fleet for signs\r\nof compromise. These campaigns are often referred to as supply chain compromises, or MITRE ATT\u0026CK T1195.\r\nThe most notable of these attacks which brought supply chain security to the forefront of most organizations’\r\nsecurity posture was SolarWinds. A notable learning of dealing with the Solarwinds vulnerability was the\r\ndifficulty associated with identifying supply chain compromises at the source. For the 3CXDesktopApp, it all\r\nbegan after a 7 day sleep that the compromised software version began to trigger different anti-virus products and\r\nshowed suspicious behaviors in EDR products.\r\nOrganization defenders must consider attack surface comprising both endpoint and network. Utilizing our defense\r\nin depth approach, tracking anti-virus, EDR and other alerts provided can assist with piecing together the puzzle.\r\nIt’s not a simple task when it comes to identifying software supply chain compromises. It may all begin with a\r\npost-exploitation event and working backwards allows us to see the source.\r\nIn this Splunk blog post, we aim to equip defenders with the necessary tools and strategies to actively hunt down\r\nand counteract this campaign. Additionally, we will offer some resilient analytic ideas that can serve as a\r\nfoundation for future threat detection and response efforts.\r\nInfection Chain Walk Through\r\nThe supply chain compromise begins when users download an affected version of the 3CXDesktopApp, which\r\nsubsequently loads a maliciously crafted or trojanized ffmpeg.dll. This compromised component is responsible for\r\ninitiating the malicious activities associated with the attack.\r\nAffected 3CX versions:\r\n3CXDesktopApp-18.12.407.msi\r\n3CXDesktopApp-18.12.416.msi\r\nffmpeg.dll\r\nThe patched ffmpeg.dll is responsible for reading another DLL named \"d3dcompiler_47.dll,\" which contains an\r\nencrypted shellcode and additional DLLs that will download several .ico files. Figure 1 presents a code snippet of\r\nthe maliciously crafted ffmpeg.dll that reads the \"d3dcompiler_47.dll\" file to search for an embedded encrypted\r\nshellcode, starting with an 8-byte sequence \"0xFE 0xED 0xFA 0xCE 0xFE 0xED 0xFA 0xCE.\"\r\nhttps://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html\r\nPage 1 of 11\n\nFigure 1\r\nD3dcompiler_47.dll\r\nThe shellcode is encrypted using the RC4 algorithm, with a specific decryption key \"3jB(2bsG#c7\". Figure 2\r\nillustrates the encrypted code block embedded in d3dcompiler_47.dll before and after the decryption process.\r\nUpon examining the decrypted portion of the screenshot, it becomes evident that the shellcode contains\r\ninstructions to load another DLL.\r\nhttps://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html\r\nPage 2 of 11\n\nFigure 2\r\nDecrypted-DLL\r\nThe shellcode proceeds to load the decrypted DLL export \"DllGetClassObject,\" which initiates a thread to\r\nexamine the manifest file. It then sleeps for a duration based on a randomly generated value relative to the system\r\ndate and time. Following this, it reads the machine GUID from the registry. Figure 3 demonstrates how the\r\nshellcode accesses the Cryptography registry to parse the MachineGUID of the targeted or compromised host.\r\nFigure 3\r\nUpon retrieving the Machine GUID, the shellcode calls a function that attempts to download several .ico files\r\nfrom the GitHub repository. At the time of writing, the URL link was no longer accessible, but the cybersecurity\r\ncommunity shared the files, enabling us to examine the next stage.\r\nFigure 4 presents a code snippet of the decrypted DLL that attempts to download multiple .ico files for decoding\r\nand decryption. The code highlights an intriguing approach employed by the attacker, using .ico files as\r\nconfiguration files. After downloading the .ico files, the shellcode reads them byte by byte, searching for the\r\ncharacter \"$\". This character serves as a marker for the encoded and encrypted C2 URL link.\r\nhttps://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html\r\nPage 3 of 11\n\nFigure 4\r\nFigure 5 presents a basic hex view snippet of two malicious .ico files that the decrypted DLL attempts to\r\ndownload. The hex bytes highlighted in the yellow box represent the base64-encoded and encrypted C2 URL link,\r\nwhich begins with the \"$\" character. We recommend using the decrypt-ico.py script created by the Volexity team\r\nto automatically decrypt this string. The decrypted C2 server can be found in the IOC section of this blog.\r\nFigure 5\r\nhttps://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html\r\nPage 4 of 11\n\nThe aforementioned C2 server proceeds to download an additional configuration JSON file, ultimately leading to\r\nthe final payload binary, which is a browser stealer malware. This malware is designed to extract sensitive\r\ninformation from the victim's web browsers.\r\nBrowser Stealer Payload\r\nThe browser stealer is a separate x64-bit DLL that executes its malicious code through the \"DllGetClassObject\"\r\nexport function. This malware aims to extract information such as domain name, computer name, and OS version\r\nusing the NetWkstaGetInfo() and RtlGetVersion() APIs. Figure 6.1 and 6.2 display code snippets illustrating how\r\nthe malware retrieves the specified information using these two Windows APIs and formats it before transmitting\r\nthe data to its C2 server.\r\nFigure 6.1\r\nFigure 6.2\r\nFinally, the malware targets several well-known browsers, including \"Chrome,\" \"Firefox,\" \"MSEdge,\" and\r\n\"Brave,\" in order to steal information. It achieves this by accessing browser history and the places.sqlite database,\r\ncopying it, and then querying the discovered SQLite browser databases to parse the URL and title, limited to the\r\nfirst 500 entries. Figure 7 displays a code snippet illustrating how the stealer executes the SQL command once it\r\nlocates the browser SQLite database it needs to parse and subsequently sends the information to its C2 server.\r\nhttps://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html\r\nPage 5 of 11\n\nFigure 7\r\nWe identified several key factors during our analysis that aid in guiding Splunk content creation. Now, let's delve\r\ninto the content and examine the various ways in which Splunk can be of assistance.\r\nSecurity Content\r\nThere are numerous methods for generating content in Splunk, as well as a wide variety of data sources. Based on\r\nthe indicators provided and our analysis above, we can present the following content. Some of these examples\r\nmay serve as Splunk inspiration, while others may be suitable for notables. Throughout our discussion, we will\r\noffer insights on building resilient analytics for each example.\r\nHunting 3CXDesktopApp Software\r\nInitially, like many, we want to identify endpoints across our fleet that have C3XdesktopApp running and what\r\nversion. We decided to use the Endpoint.Processes datamodel so the results would be back fast. If data is not\r\nnormalized in the datamodel, that’s ok! Modify the analytic for your environment by looking for the process\r\nnames. Note here that the datamodel does not provide file version, we are specifically just looking for where this\r\nprocess is running across the fleet.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n| `drop_dm_object_name(Processes)`\r\n| `security_content_ctime(firstTime)`\r\n| `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html\r\nPage 6 of 11\n\nTwo aspects we recommend examining closely at this time are the file path and the command line. These elements\r\nmay vary across different environments, so it's important to identify the default location of the binary for your\r\norganization and determine if the command line follows a consistent pattern.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n| `drop_dm_object_name(Processes)`\r\n| `security_content_ctime(firstTime)`\r\n| `security_content_ctime(lastTime)`\r\nWindows Vulnerable 3CX Software\r\nSwitching to Sysmon, we wrote a query to look for 3CXDesktopApp by file version. Depending on the EDR\r\nproduct in use, many provide signature information, VirusTotal enrichment, prevalence and so forth.\r\nThe Splunk Attack Range uses a broad configuration file meant to capture every artifact provided. Each EDR\r\nproduct today provides similar or more, so it is very important to understand the product and how it can assist\r\nyour organization in an event like this.\r\n`sysmon` (process_name=3CXDesktopApp.exe OR OriginalFileName=3CXDesktopApp.exe) FileVersion=18.12.*\r\n| rename Computer as dest\r\n| stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name,process_name, Original\r\nAccording to 3CX, the security issue affects version numbers 18.12.407 and 18.12.416 on Windows. We adopt a\r\nslightly broader approach by searching for any 18.12.* version, primarily to monitor for any instances that may\r\nhave gone unnoticed. Furthermore, you can modify this analytic to examine any version or simply extract the\r\nversion information for an inventory overview.\r\nhttps://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html\r\nPage 7 of 11\n\nAnother take on this query showing just the process and version number by host.\r\n`sysmon` (process_name=3CXDesktopApp.exe OR OriginalFileName=3CXDesktopApp.exe)\r\n| rename Computer as dest\r\n| stats count min(_time) as firstTime max(_time) as lastTime by dest process_name FileVersion\r\n18.12.422 is the latest version as of 3/31/2023.\r\n3CX Supply Chain Attack Network Indicators\r\nWe would like to thank CrowdStrike and numerous other organizations for providing indicators. The method for\r\ndetecting the domains used will depend on an organization's security stack. Some products reveal the URI, while\r\nothers do not. In our case, we utilize DNS queries from Sysmon, which populates the Network_Resolution data\r\nmodel.\r\nHunting with these domains may provide false positives and filtering / tuning is definitely recommended. Note\r\nhere that a hit on the domain is not 100% true positive. Some of these are legitimate and will require further\r\nreview. In addition to looking for the domains, it may provide value in doing two additional tasks based on\r\nproduct support:\r\n1. Restrict the network indicators to 3CXDesktopApp, or broadly any process\r\n2. Add URIs to the lookup, or a new query, and hunt for beaconing activity.\r\n| tstats `summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by\r\n| `drop_dm_object_name(DNS)`\r\n| `security_content_ctime(firstTime)`\r\n| `security_content_ctime(lastTime)`\r\n| lookup 3cx_ioc_domains domain as query OUTPUT Description isIOC\r\n| search isIOC=true\r\nUtilizing the Splunk App for Lookup File Editing, we can easily add/remove indicators or new columns.\r\nhttps://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html\r\nPage 8 of 11\n\nDLLs on Disk\r\nAs mentioned earlier, it is important to pay attention to the process path. In this specific campaign, we aim to\r\nidentify any additional files that were dropped on the disk, collect their hashes, and explore potential leads that\r\nmay offer further insights. Using Sysmon, we have narrowed our focus to the \\Appdata\\local\\ path and sorted the\r\ndata by the ImageLoaded (DLL) and various metadata points that Sysmon offers. It's important to note that\r\ndifferent EDR products will provide varying levels of visibility, so as you analyze this telemetry, start identifying\r\nalternative ways to pivot. Be sure to check for prevalence within your organization. For example, if the ffmpeg.dll\r\nwith this specific hash is found on only 5 out of 5,000 endpoints, it is certainly worth investigating further.\r\n`sysmon` 3cxdesktopapp.exe ImageLoaded=\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Programs\\\\3CXDesktopApp\\\\*\"\r\n#ToolTips\r\nImage loads are a voluminous datasource and can be cumbersome to hunt through. Here are some tips to narrow\r\ndown interesting image loads.\r\nhttps://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html\r\nPage 9 of 11\n\n1. Focus on non-standard paths. Native Windows DLLs will not run out of the user profile\r\n2. Identify signing information and use it to your advantage to look for Unsigned or revoked based on file\r\npaths\r\n3. If possible, look for processes loading DLLs from non-standard paths. Filter by signing status.\r\nRegistry\r\nRevisiting the initial installation process involving MsiExec.exe, it's important to note that several registry\r\nmodifications occur to ensure the persistence of this version of 3CXDesktopApp.\r\n`sysmon` EventID IN (12,13,14) process_name=\"msiexec.exe\" *\\\\appdata\\\\*\r\n| stats values(registry_value_data) by registry_path\r\nNow the registry modifications from the 3CXDesktopApp. This is an abbreviated version as there are a lot of\r\nstandard modifications in the output.\r\n`sysmon` EventID IN (12,13,14) process_name=\"3cxdesktopapp.exe\"\r\n| stats values(registry_value_data) by registry_path\r\nLearn More\r\nYou can find the latest content and security analytic stories on GitHub and in Splunkbase. Splunk Security\r\nEssentials also has all these detections available via push update.\r\nFor a full list of security content, check out the release notes on Splunk Docs.\r\nFeedback\r\nAny feedback or requests? Feel free to put in an issue on GitHub and we’ll follow up. Alternatively, join us on the\r\nSlack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on\r\nSlack.\r\nContributors\r\nhttps://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html\r\nPage 10 of 11\n\nWe would like to thank Michael Haag and Teoderick Contreras for authoring this post and the entire Splunk\r\nThreat Research Team (Rod Soto, Mauricio Velazco, Lou Stella, Bhavin Patel, Eric McGinnis, and Patrick\r\nBareiss) for their contribution to this release.\r\nReferences:\r\nhttps://www.3cx.com/blog/news/desktopapp-security-alert/\r\nhttps://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/\r\nhttps://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/\r\nhttps://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/\r\nhttps://www.cisa.gov/news-events/alerts/2023/03/30/supply-chain-attack-against-3cxdesktopapp\r\nhttps://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/page-2#post-558898\r\nhttps://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/\r\nSource: https://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html\r\nhttps://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html\r\nPage 11 of 11\n\nencrypted shellcode the maliciously and additional crafted ffmpeg.dll DLLs that that reads will download several the \"d3dcompiler_47.dll\" .ico files. Figure file to search 1 presents for an embedded a code snippet of encrypted\nshellcode, starting with an 8-byte sequence \"0xFE 0xED 0xFA 0xCE 0xFE 0xED 0xFA 0xCE.\"\n   Page 1 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html"
	],
	"report_names": [
		"splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434353,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/202616d52aa407a17de3fe3fbfa186798fc190fc.pdf",
		"text": "https://archive.orkl.eu/202616d52aa407a17de3fe3fbfa186798fc190fc.txt",
		"img": "https://archive.orkl.eu/202616d52aa407a17de3fe3fbfa186798fc190fc.jpg"
	}
}