{ "id": "b1876383-1f60-47b3-8773-9afe12cccebd", "created_at": "2026-04-06T00:14:11.553056Z", "updated_at": "2026-04-10T03:20:33.025499Z", "deleted_at": null, "sha1_hash": "2cadb7d51fe54028a874009181e8a305bd8a075a", "title": "3CX SmoothOperator | 3CXDesktopApp in Supply Chain Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6867457, "plain_text": "3CX SmoothOperator | 3CXDesktopApp in Supply Chain Attack\r\nBy Juan Andrés Guerrero-Saade\r\nPublished: 2023-03-29 · Archived: 2026-04-05 15:49:02 UTC\r\nBy Juan Andres Guerrero-Saade, Asaf Gilboa, David Acs, James Haughom, Phil Stokes \u0026 SentinelLabs\r\nExecutive Summary\r\nAs of Mar 22, 2023 SentinelOne began to see a spike in behavioral detections of the 3CXDesktopApp, a popular\r\nvoice and video conferencing software product categorized as a Private Automatic Branch Exchange (PABX)\r\nplatform.\r\nBehavioral detections prevented these trojanized installers from running and led to immediate default quarantine.\r\nThe trojanized 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with\r\nbase64 data from Github and ultimately leads to a 3rd stage infostealer DLL still being analyzed as of the time of\r\nwriting.\r\nThe compromise includes a code signing certificate used to sign the trojanized binaries.\r\nOur investigation into the threat actor behind this supply chain is ongoing. The threat actor has registered a sprawling\r\nset of infrastructure starting as early as February 2022, but we don’t yet see obvious connections to existing threat\r\nclusters.\r\nMarch 30th, 2023: We have updated our IOCs with contributions from the research community.\r\nMarch 30th, 2023: We can confirm that the macOS installer is trojanized, as reported by Patrick Wardle. We have\r\nidentified the limited deployment of a second-stage payload for Mac infections. We have updated our IOCs to reflect\r\nmacOS components.\r\nApril 24th, 2023: Further technical details added for both Windows and macOS versions of the malware.\r\nBackground\r\n3CXDesktopApp is a voice and video conferencing Private Automatic Branch Exchange (PABX) enterprise call routing\r\nsoftware developed by 3CX, a business communications software company. The company website claims that 3CX has\r\n600,000 customer companies with 12 million daily users. 3CX lists customer organizations in the following sectors:\r\nAutomotive\r\nFood \u0026 Beverage\r\nHospitality\r\nhttps://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/\r\nPage 1 of 9\n\nManaged Information Technology Service Provider (MSP)\r\nManufacturing\r\nThe 3CX PBX client is available for Windows, macOS, and Linux; there are also mobile versions for Android and iOS, as\r\nwell as a Chrome extension and a Progressive Web App (PWA) browser-based version of the client.\r\nPBX software makes an attractive supply chain target for actors; in addition to monitoring an organization’s\r\ncommunications, actors can modify call routing or broker connections into voice services from the outside. There have been\r\nother instances where actors use PBX and VOIP software to deploy additional payloads, including a 2020 campaign against\r\nDigium VOIP phones using a vulnerable PBX library, FreePBX.\r\nCampaign Overview\r\nAs others have noted, SentinelOne began automatically detecting and blocking the activity over the span of the week, prior\r\nto our active investigation of the campaign.\r\nOur analysis of the malicious installer reveals an interesting multi-stage attack chain. The 3CXDesktopApp application\r\nserves as a shellcode loader with shellcode executed from heap space. The shellcode reflectively loads a DLL, removing the\r\n“MZ” at the start. That DLL is in turn called via a named export DllGetClassObject with the following arguments:\r\n1200 2400 \"Mozilla/5.0 (Windows NT 10.0; Win64; x64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) 3CXDesktopApp/18.11.1197\r\nChrome/102.0.5005.167 Electron/19.1.9 Safari/537.36”\r\nas well as the size of this User-Agent string.\r\nThis stage will in turn download icon files from a dedicated Github repository:\r\nhttps:\r\nhttps://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/\r\nPage 2 of 9\n\nThese ICO files are appended with a chunk of base64 encoded data after a “$” character.\r\nThe malware searches for the “$” and extracts the remaining bytes from the ICO file. These bytes are decoded and\r\ndecrypted, yielding a C\u0026C URL.\r\nWith the decoded C\u0026C server URL, the malware will start its main loop.\r\nThe main loop first will build and encrypt an “initial-run” command to the C\u0026C. It sends this command via an HTTP POST\r\nrequest. From the received JSON, it extracts the value of the “meta” field, which are decrypted in the next step.\r\nhttps://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/\r\nPage 3 of 9\n\nThe decrypted payload contains an expiry date which is checked against the current time. Afterwards, it checks the\r\ncommand code and if it is 0xF7DC9 or 0xF7DCA it executes the shellcode inside the payload.\r\nThe shellcode is responsible for reflectively loading a DLL and returning its exported function. In the DLL we observed, the\r\nexport was called DllGetClassObject .\r\nDetails of the Windows Infostealer\r\nThe infostealer is a DLL loaded via the previous DLL. It generates an output that will be exfiltrated by the previous DLL. At\r\nthe beginning of its execution, it calls NetWkstaGetInfo to obtain the computer name and domain name. It calls\r\nRtlGetVersion to obtain the Windows version and afterwards reads the contents of 3CXDesktopApp\\config.json from\r\nAppData.\r\nThe config, hostname, domain name, and OS version are written to the output buffer.\r\nhttps://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/\r\nPage 4 of 9\n\nThe next step of the infostealer is to gather the domain names and webpage titles the victim visited. It targets four browsers\r\n– Chrome, Edge, Brave and Firefox, with each identified by an index.\r\nFor each browser, the malware searches for profiles within the browser’s directory.\r\nOnce a profile has been found, the malware will check if it can access the database containing the browsing history of the\r\nvictim. The following files are targeted within the browser profiles:\r\nThe malware copies the History database and runs one of the following queries on it, depending on the browser:\r\nhttps://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/\r\nPage 5 of 9\n\n3CXDesktop macOS Trojan | 1st Stage and 2nd Stage\r\nThe cross-platform malware’s macOS version was initially triaged by independent security researcher Patrick Wardle, who\r\nconcluded that “what it does is a mystery”. As the situation unfolded, SentinelLabs was able to obtain and share the hash of\r\nthe next stage payload, UpdateAgent. Analysis of the known UpdateAgent sample sheds little light on the objective of the\r\ncampaign – given that it does little more than gather information from the infected device – but does reveal interesting\r\nindicators for detection and attribution.\r\nThe Trojan is delivered via a maliciously crafted version of libffmpeg.dylib contained within the application bundle’s\r\nElectron Framework folder.\r\n../3CX Desktop App.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib\r\nAt the time of discovery, the app had a valid code signature and was notarized by Apple. The signature and notarization was\r\nrevoked by Apple on March 30th after public reporting of the threat.\r\nThe malicious dylib’s main purpose is to gather environmental information, send this to a C2 server, and to retrieve a 2nd\r\nstage payload, written out as UpdateAgent in the 3CX support folder. A unique identifier encrypted with the XOR key\r\n0x7A is also written out as a hidden file in the same folder as .main_storage .\r\nThe libffmpeg.dylib drops .main_storage and UpdateAgent.\r\nhttps://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/\r\nPage 6 of 9\n\nThe macOS trojan contains a hardcoded URL rather than relying on retrieving the C2 from the icon files hosted on Github.\r\nThe dylib and UpdateAgent both create custom URL headers and partially share the same code for doing so.\r\nShared code between UpdateAgent (left) and libffmpeg.dylib (right)\r\nThe second stage UpdateAgent, which self-deletes after execution, collects account information about the victim’s 3CX\r\ninstallation, specifically the Account name and provisioning URL, and sends these to the attacker’s server before exiting.\r\nThe server address is hardcoded and not obfuscated in the executable.\r\nThe address of the attacker’s server is hardcoded in the UpdateAgent binary\r\nUpdateAgent does not contain code for persistence nor does it have backdoor capabilities, leading to speculation that a\r\ndifferent 2nd stage is dropped on targets of specific interest. Since the first stage retrieves the second stage every time the\r\ntrojanized 3CXDesktop App is run by the victim, it is entirely possible that a different version of UpdateAgent is delivered\r\nto specific targets of interest. Exactly why the threat actors deliver the 2nd stage to gather further environmental data to\r\ncollateral victims is unclear, since this same data could just as easily have been gathered by the first stage.\r\nmacOS Backdoor | SIMPLESEA and POOLRAT\r\nFurther incident response work at 3CX by Mandiant initially led to identification of a backdoor dubbed SIMPLESEA in the\r\n3CX environment. An update from Mandiant subsequently corrected this analysis and identified the backdoor as POOLRAT,\r\na known Lazarus malware family. According to Mandiant’s analysis, 3CX’s macOS build server was compromised with\r\nPOOLRAT backdoor using Launch Daemons as a persistence mechanism. The source of this compromise is not yet known.\r\nInterestingly, Apple’s XProtect contains a signature for POOLRAT that was added as long ago as July 2020 in XProtect\r\nversion 2124. This appears to indicate either that the infection of 3CX’s macOS build server occurred prior to that date or\r\nthat XProtect was bypassed by the threat actors. Depending on the version of macOS on the compromised server, bypasses\r\nfor XProtect are known.\r\nSentinelOne Protects Against SmoothOperator\r\nhttps://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/\r\nPage 7 of 9\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nRecommendations\r\nFor SentinelOne customers, no action is needed. We’ve provided technical indicators to benefit all potential victims in\r\nhunting for the SmoothOperator campaign.\r\nIndicators of Compromise\r\nNote: we have removed soyoungjun[.]com and convieneonline[.]com as they were linked based on inaccurate information\r\nfrom a passive DNS provider. Thank you to Daniel Gordon for the tip.\r\nWe have also added the full list of URIs decrypted from the ICO files previously referenced. Thanks to Johann Aydinbas for\r\nthe excellent work!\r\nURL github[.]com/IconStorages/images\r\nEmail cliego.garcia@proton[.]me\r\nEmail philip.je@proton[.]me\r\nSHA-1 cad1120d91b812acafef7175f949dd1b09c6c21a\r\nSHA-1 bf939c9c261d27ee7bb92325cc588624fca75429\r\nSHA-1 20d554a80d759c50d6537dd7097fed84dd258b3e\r\nURI https://www.3cx[.]com/blog/event-trainings/\r\nURI https://akamaitechcloudservices[.]com/v2/storage\r\nURI https://azureonlinestorage[.]com/azure/storage\r\nURI https://msedgepackageinfo[.]com/microsoft-edge\r\nURI https://glcloudservice[.]com/v1/console\r\nURI https://pbxsources[.]com/exchange\r\nhttps://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/\r\nPage 8 of 9\n\nURI https://msstorageazure[.]com/window\r\nURI https://officestoragebox[.]com/api/session\r\nURI https://visualstudiofactory[.]com/workload\r\nURI https://azuredeploystore[.]com/cloud/services\r\nURI https://msstorageboxes[.]com/office\r\nURI https://officeaddons[.]com/technologies\r\nURI https://sourceslabs[.]com/downloads\r\nURI https://zacharryblogs[.]com/feed\r\nURI https://pbxcloudeservices[.]com/phonesystem\r\nURI https://pbxphonenetwork[.]com/voip\r\nURI https://msedgeupdate[.]net/Windows\r\nmacOS Indicators of Compromise\r\n1st Stage – libffmpeg.dylib\r\n137b311737bcba57782a167a8f7cea0872ba7316\r\n2c69d27fadf6244a80449579ab5ce450c0920678\r\n354251ca9476549c391fbd5b87e81a21a95949f4\r\n5b0582632975d230c8f73c768b9ef39669fefa60\r\n6723ee0f25d401154756ffd99f4d27c6a6819b87\r\n769383fc65d1386dd141c960c9970114547da0c2\r\nb2a89eebb5be61939f5458a024c929b169b4dc85\r\ne53e6b08fca672119581c1974e6ba391eed9c010\r\n2nd Stage – UpdateAgent\r\n9e9a5f8d86356796162cee881c843cde9eaedfb3\r\n2nd Stage – URI\r\nhttps://sbmsa[.]wiki/blog/_insert\r\nFile Paths\r\n~/Library/Application Support/3CXDesktop App/.main_storage\r\n~/Library/Application Support/3CXDesktop App/UpdateAgent\r\nSource: https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/\r\nhttps://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/" ], "report_names": [ "smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack" ], "threat_actors": [], "ts_created_at": 1775434451, "ts_updated_at": 1775791233, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2cadb7d51fe54028a874009181e8a305bd8a075a.pdf", "text": "https://archive.orkl.eu/2cadb7d51fe54028a874009181e8a305bd8a075a.txt", "img": "https://archive.orkl.eu/2cadb7d51fe54028a874009181e8a305bd8a075a.jpg" } }