{
	"id": "8a0e0b5b-e603-410f-a059-984629b49598",
	"created_at": "2026-04-06T00:14:18.01191Z",
	"updated_at": "2026-04-10T03:21:21.375087Z",
	"deleted_at": null,
	"sha1_hash": "20fbfd56b8bfba363e973bf91e73147ada4c4ae4",
	"title": "3CX: Supply Chain Attack Affects Thousands of Users Worldwide",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66197,
	"plain_text": "3CX: Supply Chain Attack Affects Thousands of Users Worldwide\r\nBy About the Author\r\nArchived: 2026-04-05 17:40:19 UTC\r\nUPDATE March 31 2023 14:26 UTC: Our blog has been updated with a Yara rule to detect the final infostealer\r\npayload.\r\nUPDATE March 30 2023 17:39 UTC: Our blog has been updated with technical analysis of the macOS versions.\r\nUPDATE March 30 2023 14:17 UTC: Our blog has been updated with  additional IOCs\r\nUPDATE March 30 2023 12:47 UTC: Our blog has been updated with additional IOCs and protection\r\ninformation.\r\nUPDATE March 30 2023 9:07 UTC: Our blog has been updated with technical analysis of the malware used.\r\nAttackers believed to be linked to North Korea have Trojanized 3CX's DesktopApp, a widely-used voice and\r\nvideo calling desktop client. In an attack reminiscent of SolarWinds, installers for several recent Windows and\r\nMac versions of the software were compromised and modified by the attackers in order to deliver additional\r\ninformation stealing malware to the user’s computer. The information gathered by this malware presumably\r\nallowed the attackers to gauge if the victim was a candidate for further compromise.\r\nThe attackers compromised installer files for at least two Windows versions (18.12.407 and 18.12.416) and two\r\nMac versions (8.11.1213 and latest) of 3CX DesktopApp. The installers contained clean versions of the app along\r\nwith malicious DLLs. The app was used to sideload the malicious DLLs, which then installed information-stealing\r\nmalware on the computer.   \r\nIn two variants analyzed by Symantec (SHA256:\r\naa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 and\r\n59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983), the clean executable was used to\r\nload a malicious DLL named ffmpeg.dll (SHA256:\r\n7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896)\r\nThis DLL contains code that will load and execute a payload from a second DLL named d3dcompiler_47.dll.\r\n(SHA256: 11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03)\r\nD3dcompiler_47.dll contains an encrypted blob appended to the file, suggesting that it is possibly a Trojanized\r\nversion of a legitimate file. The blob starts with the hex value “FEEDFACE” which the loader uses to find the\r\nblob. The decrypted blob contains shellcode and a third DLL (SHA256:\r\naa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973).\r\nThe shellcode loads and executes this third DLL, export DLLGetClassObject with parameters:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack\r\nPage 1 of 6\n\n1200 2400 \"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) 3CXDesktopApp/18.11.1197\r\nChrome/102.0.5005.167 Electron/19.1.9 Safari/537.36”\r\nIt will then attempt to download an ICO file from the following GitHub repository:\r\nhttps://raw.githubusercontent[].com/IconStorages/images/main/icon%d.ico\r\nMac versions\r\nAt last two macOS versions of the affected software were compromised in a similar fashion. In this case a\r\ndynamic library named libffmpeg.dylib was Trojanized. There are at least two variants of this file (SHA256:\r\na64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67 and\r\nfee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7) and they seem to relate to different\r\nversions of the software.\r\nThe malicious code is in the InitFunc_0 function of libffmpeg.dylib, it calls _run_avcodec which starts a thread, in\r\nthis thread it decodes some shellcode with XOR key 0x7A and then will make a http request.\r\nIt attempts to download a payload from:\r\nURL: https://msstorageazure[.]com/analysis\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/108.0.5359.128 Safari/537.36\r\nThe following URLs were embedded in analyzed variants:\r\nofficestoragebox[.]com/api/biosync\r\nvisualstudiofactory[.]com/groupcore\r\nazuredeploystore[.]com/cloud/images\r\nmsstorageboxes[.]com/xbox\r\nofficeaddons[.]com/quality\r\nsourceslabs[.]com/status\r\nzacharryblogs[.]com/xmlquery\r\npbxcloudeservices[.]com/network\r\npbxphonenetwork[.]com/phone\r\nakamaitechcloudservices[.]com/v2/fileapi\r\nazureonlinestorage[.]com/google/storage\r\nmsedgepackageinfo[.]com/ms-webview\r\nglcloudservice[.]com/v1/status\r\npbxsources[.]com/queue\r\nMitigation\r\n3CX is aware of the compromise and is advising users to immediately uninstall the app. It said that it is working\r\non an update to the software that will be released within hours. It advised users to consider using its PWA client as\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack\r\nPage 2 of 6\n\nan alternative until a clean version of DesktopApp is released.\r\nProtection\r\nFile-based\r\nInfostealer\r\nTrojan Horse\r\nTrojan.Dropper\r\nTrojan.Malfilter\r\nWS.Malware.2\r\nOSX.Samsis\r\nTrojan.Samsis\r\nMachine Learning-based\r\nHeur.AdvML.A\r\nHeur.AdvML.B\r\nNetwork-based\r\nMalicious Site: Malicious Domains Request\r\nMalicious Site: Malicious Domain Request 59\r\nWeb Attack: WebPulse Bad Reputation Domain Request\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nYara Rule to detect final infostealer payload\r\nrule icon_3cx_stealer {\r\n    meta:\r\n        copyright = \"Symantec\"\r\n        description = \"Infostealer component used in 3CX supply chain attack\"\r\n    strings:\r\n        $a1 = \"******************************** %s ******************************\" wide fullword\r\n        $a2 = \"\\\\3CXDesktopApp\\\\config.json\" wide fullword\r\n        $a3 = { 7B 00 22 00 48 00 6F 00 73 00 74 00 4E 00 61 00 6D 00 65 00 22 00 3A 00 20 00 22 00 25 00 73 00\r\n22 00 2C 00 20 00 22 00 44 00 6F 00 6D 00 61 00 69 00 6E 00 4E 00 61 00 6D 00 65 00 22 00 3A 00 20 00 22 00\r\n25 00 73 00 22 00 2C 00 20 00 22 00 4F 00 73 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 22 00 3A 00 20 00\r\n22 00 25 00 64 00 2E 00 25 00 64 00 2E 00 25 00 64 00 22 00 7D }\r\n        $b1 = \"HostName: %s\" wide fullword\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack\r\nPage 3 of 6\n\n$b2 = \"DomainName: %s\" wide fullword\r\n        $b3 = \"OsVersion: %d.%d.%d\" wide fullword\r\n        $b4 = \"%s.old\" wide fullword\r\n    condition:\r\n        3 of ($a*) and 2 of ($b*)\r\n}\r\nFor more information on scanning SEP client computers using custom Yara rules, read this knowledge base article.\r\nIndicators of Compromise\r\ndde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc – Windows app\r\naa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 – Windows installer\r\nfad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405 – Windows app\r\n59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 – Windows installer\r\n92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61 – macOS app\r\n5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290 – macOS installer\r\nb86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb – macOS app\r\ne6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec – macOS installer\r\n11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03 – Infostealer (d3dcompiler_47.dll)\r\n7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896 - Infostealer (ffmpeg.dll )\r\naa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973 - Infostealer \r\nc485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02 - Infostealer (ffmpeg.dll)\r\nfee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7 - Malicious macOS library\r\n(libffmpeg.dylib)\r\na64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67 - Malicious macOS library\r\n(libffmpeg.dylib)\r\n210c9882eba94198274ebc787fe8c88311af24932832a7fe1f1ca0261f815c3d – Malicious ICO file (icon0.ico)\r\na541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c – Malicious ICO file (icon1.ico)\r\nd459aa0a63140ccc647e9026bfd1fccd4c310c262a88896c57bbe3b6456bd090 – Malicious ICO file (icon10.ico)\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack\r\nPage 4 of 6\n\nd459aa0a63140ccc647e9026bfd1fccd4c310c262a88896c57bbe3b6456bd090 – Malicious ICO file (icon11.ico)\r\nd51a790d187439ce030cf763237e992e9196e9aa41797a94956681b6279d1b9a – Malicious ICO file (icon12.ico)\r\n4e08e4ffc699e0a1de4a5225a0b4920933fbb9cf123cde33e1674fde6d61444f – Malicious ICO file (icon13.ico)\r\n8c0b7d90f14c55d4f1d0f17e0242efd78fd4ed0c344ac6469611ec72defa6b2d – Malicious ICO file (icon14.ico)\r\nf47c883f59a4802514c57680de3f41f690871e26f250c6e890651ba71027e4d3 – Malicious ICO file (icon15.ico)\r\n2c9957ea04d033d68b769f333a48e228c32bcf26bd98e51310efd48e80c1789f – Malicious ICO file (icon2.ico)\r\n268d4e399dbbb42ee1cd64d0da72c57214ac987efbb509c46cc57ea6b214beca – Malicious ICO file (icon3.ico)\r\nc62dce8a77d777774e059cf1720d77c47b97d97c3b0cf43ade5d96bf724639bd – Malicious ICO file (icon4.ico)\r\nc13d49ed325dec9551906bafb6de9ec947e5ff936e7e40877feb2ba4bb176396 – Malicious ICO file (icon5.ico)\r\nf1bf4078141d7ccb4f82e3f4f1c3571ee6dd79b5335eb0e0464f877e6e6e3182 – Malicious ICO file (icon6.ico)\r\n2487b4e3c950d56fb15316245b3c51fbd70717838f6f82f32db2efcc4d9da6de – Malicious ICO file (icon7.ico)\r\ne059c8c8b01d6f3af32257fc2b6fe188d5f4359c308b3684b1e0db2071c3425c – Malicious ICO file (icon8.ico)\r\nd0f1984b4fe896d0024533510ce22d71e05b20bad74d53fae158dc752a65782e – Malicious ICO file (icon9.ico)\r\nakamaicontainer[.]com\r\nakamaitechcloudservices[.]com\r\nazuredeploystore[.]com\r\nazureonlinecloud[.]com\r\nazureonlinestorage[.]com\r\ndunamistrd[.]com\r\nglcloudservice[.]com\r\njournalide[.]org\r\nmsedgepackageinfo[.]com\r\nmsstorageazure[.]com\r\nmsstorageboxes[.]com\r\nofficeaddons[.]com\r\nofficestoragebox[.]com\r\npbxcloudeservices[.]com\r\npbxphonenetwork[.]com\r\npbxsources[.]com\r\nqwepoi123098[.]com\r\nsbmsa[.]wiki\r\nsourceslabs[.]com\r\nvisualstudiofactory[.]com\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack\r\nPage 5 of 6\n\nzacharryblogs[.]com\r\nraw.githubusercontent[.]com/IconStorages/images/main/\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack\r\nPage 6 of 6\n\n$a1 = \"******************************** $a2 = \"\\\\3CXDesktopApp\\\\config.json\"   %s ******************************\" wide fullword   wide fullword \n$a3 = { 7B 00 22 00 48 00 6F 00 73 00 74 00 4E 00 61 00 6D 00 65 00 22 00 3A 00 20 00 22 00 25 00 73 00\n22 00 2C 00 20 00 22 00 44 00 6F 00 6D 00 61 00 69 00 6E 00 4E 00 61 00 6D 00 65 00 22 00 3A 00 20 00 22 00\n25 00 73 00 22 00 2C 00 20 00 22 00 4F 00 73 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 22 00 3A 00 20 00\n22 00 25 00 64 00 2E 00 25 00 64 00 2E 00 25 00 64 00 22 00 7D }   \n$b1 = \"HostName: %s\" wide fullword     \n   Page 3 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack"
	],
	"report_names": [
		"3cx-supply-chain-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434458,
	"ts_updated_at": 1775791281,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/20fbfd56b8bfba363e973bf91e73147ada4c4ae4.pdf",
		"text": "https://archive.orkl.eu/20fbfd56b8bfba363e973bf91e73147ada4c4ae4.txt",
		"img": "https://archive.orkl.eu/20fbfd56b8bfba363e973bf91e73147ada4c4ae4.jpg"
	}
}