{ "id": "e3a6c000-fb78-4dcd-a280-1accdeb28fe9", "created_at": "2026-04-06T00:11:51.365147Z", "updated_at": "2026-04-10T13:11:55.397818Z", "deleted_at": null, "sha1_hash": "259982a7a9c9a87cb7c909abe2a723a7fe3c9cfa", "title": "3CX Breach Was a Double Supply Chain Compromise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 304230, "plain_text": "3CX Breach Was a Double Supply Chain Compromise\r\nPublished: 2023-04-21 · Archived: 2026-04-02 11:48:22 UTC\r\nWe learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider\r\n3CX. The lengthy, complex intrusion has all the makings of a cyberpunk spy novel: North Korean hackers using\r\nlegions of fake executive accounts on LinkedIn to lure people into opening malware disguised as a job offer;\r\nmalware targeting Mac and Linux users working at defense and cryptocurrency firms; and software supply-chain\r\nattacks nested within earlier supply chain attacks.\r\nResearchers at ESET say this job offer from a phony HSBC recruiter on LinkedIn was North Korean malware\r\nmasquerading as a PDF file.\r\nhttps://krebsonsecurity.com/2023/04/3cx-breach-was-a-double-supply-chain-compromise/\r\nPage 1 of 5\n\nIn late March 2023, 3CX disclosed that its desktop applications for both Windows and macOS were\r\ncompromised with malicious code that gave attackers the ability to download and run code on all machines where\r\nthe app was installed. 3CX says it has more than 600,000 customers and 12 million users in a broad range of\r\nindustries, including aerospace, healthcare and hospitality.\r\n3CX hired incident response firm Mandiant, which released a report on Wednesday that said the compromise\r\nbegan in 2022 when a 3CX employee installed a malware-laced software package distributed via an earlier\r\nsoftware supply chain compromise that began with a tampered installer for X_TRADER, a software package\r\nprovided by Trading Technologies.\r\n“This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain\r\nattack,” reads the April 20 Mandiant report.\r\nMandiant found the earliest evidence of compromise uncovered within 3CX’s network was through the VPN\r\nusing the employee’s corporate credentials, two days after the employee’s personal computer was compromised.\r\n“Eventually, the threat actor was able to compromise both the Windows and macOS build environments,” 3CX\r\nsaid in an April 20 update on their blog.\r\nMandiant concluded that the 3CX attack was orchestrated by the North Korean state-sponsored hacking group\r\nknown as Lazarus, a determination that was independently reached earlier by researchers at Kaspersky Lab and\r\nElastic Security.\r\nMandiant found the compromised 3CX software would download malware that sought out new instructions by\r\nconsulting encrypted icon files hosted on GitHub. The decrypted icon files revealed the location of the malware’s\r\ncontrol server, which was then queried for a third stage of the malware compromise — a password stealing\r\nprogram dubbed ICONICSTEALER.\r\nhttps://krebsonsecurity.com/2023/04/3cx-breach-was-a-double-supply-chain-compromise/\r\nPage 2 of 5\n\nThe double supply chain compromise that led to malware being pushed out to some 3CX customers. Image:\r\nMandiant.\r\nMeanwhile, the security firm ESET today published research showing remarkable similarities between the\r\nmalware used in the 3CX supply chain attack and Linux-based malware that was recently deployed via fake job\r\noffers from phony executive profiles on LinkedIn. The researchers said this was the first time Lazarus had been\r\nspotted deploying malware aimed at Linux users.\r\nAs reported in a series last summer here, LinkedIn has been inundated this past year by fake executive profiles for\r\npeople supposedly employed at a range of technology, defense, energy and financial companies. In many cases,\r\nthe phony profiles spoofed chief information security officers at major corporations, and some attracted quite a\r\nfew connections before their accounts were terminated.\r\nMandiant, Proofpoint and other experts say Lazarus has long used these bogus LinkedIn profiles to lure targets\r\ninto opening a malware-laced document that is often disguised as a job offer. This ongoing North Korean\r\nespionage campaign using LinkedIn was first documented in August 2020 by ClearSky Security, which said the\r\nLazarus group operates dozens of researchers and intelligence personnel to maintain the campaign globally.\r\nhttps://krebsonsecurity.com/2023/04/3cx-breach-was-a-double-supply-chain-compromise/\r\nPage 3 of 5\n\nMicrosoft Corp., which owns LinkedIn, said in September 2022 that it had detected a wide range of social\r\nengineering campaigns using a proliferation of phony LinkedIn accounts. Microsoft said the accounts were used\r\nto impersonate recruiters at technology, defense and media companies, and to entice people into opening a\r\nmalicious file. Microsoft found the attackers often disguised their malware as legitimate open-source software like\r\nSumatra PDF and the SSH client Putty.\r\nMicrosoft attributed those attacks to North Korea’s Lazarus hacking group, although they’ve traditionally referred\r\nto this group as “ZINC“. That is, until earlier this month, when Redmond completely revamped the way it names\r\nthreat groups; Microsoft now references ZINC as “Diamond Sleet.”\r\nThe ESET researchers said they found a new fake job lure tied to an ongoing Lazarus campaign on LinkedIn\r\ndesigned to compromise Linux operating systems. The malware was found inside of a document that offered an\r\nemployment contract at the multinational bank HSBC.\r\n“A few weeks ago, a native Linux payload was found on VirusTotal with an HSBC-themed PDF lure,” wrote\r\nESET researchers Peter Kalnai and Marc-Etienne M.Leveille. “This completes Lazarus’s ability to target all\r\nmajor desktop operating systems. In this case, we were able to reconstruct the full chain, from the ZIP file that\r\ndelivers a fake HSBC job offer as a decoy, up until the final payload.”\r\nESET said the malicious PDF file used in the scheme appeared to have a file extension of “.pdf,” but that this was\r\na ruse. ESET discovered that the dot in the filename wasn’t a normal period but instead a Unicode character\r\n(U+2024) representing a “leader dot,” which is often used in tables of contents to connect section headings with\r\nthe page numbers on which those sections begin.\r\n“The use of the leader dot in the filename was probably an attempt to trick the file manager into treating the file as\r\nan executable instead of a PDF,” the researchers continued. “This could cause the file to run when double-clicked\r\ninstead of opening it with a PDF viewer.”\r\nESET said anyone who opened the file would see a decoy PDF with a job offer from HSBC, but in the\r\nbackground the executable file would download additional malware payloads. The ESET team also found the\r\nmalware was able to manipulate the program icon displayed by the malicious PDF, possibly because fiddling with\r\nthe file extension could cause the user’s system to display a blank icon for the malware lure.\r\nKim Zetter, a veteran Wired.com reporter and now independent security journalist, interviewed Mandiant\r\nresearchers who said they expect “many more victims” will be discovered among the customers of Trading\r\nTechnologies and 3CX now that news of the compromised software programs is public.\r\n“Mandiant informed Trading Technologies on April 11 that its X_Trader software had been compromised, but the\r\nsoftware maker says it has not had time to investigate and verify Mandiant’s assertions,” Zetter wrote in her Zero\r\nDay newsletter on Substack. For now, it remains unclear whether the compromised X_Trader software was\r\ndownloaded by people at other software firms.\r\nIf there’s a silver lining here, the X_Trader software had been decommissioned in April 2020 — two years before\r\nthe hackers allegedly embedded malware in it.\r\nhttps://krebsonsecurity.com/2023/04/3cx-breach-was-a-double-supply-chain-compromise/\r\nPage 4 of 5\n\n“The company hadn’t released new versions of the software since that time and had stopped providing support for\r\nthe product, making it a less-than-ideal vector for the North Korean hackers to infect customers,” Zetter wrote.\r\nSource: https://krebsonsecurity.com/2023/04/3cx-breach-was-a-double-supply-chain-compromise/\r\nhttps://krebsonsecurity.com/2023/04/3cx-breach-was-a-double-supply-chain-compromise/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://krebsonsecurity.com/2023/04/3cx-breach-was-a-double-supply-chain-compromise/" ], "report_names": [ "3cx-breach-was-a-double-supply-chain-compromise" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434311, "ts_updated_at": 1775826715, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/259982a7a9c9a87cb7c909abe2a723a7fe3c9cfa.pdf", "text": "https://archive.orkl.eu/259982a7a9c9a87cb7c909abe2a723a7fe3c9cfa.txt", "img": "https://archive.orkl.eu/259982a7a9c9a87cb7c909abe2a723a7fe3c9cfa.jpg" } }