{
	"id": "1e2eb234-2b94-47ed-9fb9-e6526fe21bd2",
	"created_at": "2026-04-06T00:21:46.340122Z",
	"updated_at": "2026-04-10T13:12:42.103969Z",
	"deleted_at": null,
	"sha1_hash": "4b21f09c123878360411e88d5e063a9458c59ca2",
	"title": "X_Trader Supply Chain Attack Affects Critical Infrastructure Organizations in U.S. and Europe",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46988,
	"plain_text": "X_Trader Supply Chain Attack Affects Critical Infrastructure\r\nOrganizations in U.S. and Europe\r\nBy About the Author\r\nArchived: 2026-04-05 18:05:13 UTC\r\nThe X_Trader software supply chain attack affected more organizations than 3CX. Initial investigation by\r\nSymantec’s Threat Hunter Team has, to date, found that among the victims are two critical infrastructure\r\norganizations in the energy sector, one in the U.S. and the other in Europe. In addition to this, two other\r\norganizations involved in financial trading were also breached.\r\nAs reported yesterday by Mandiant, Trojanized X_Trader software was the cause of the 3CX breach, which was\r\nuncovered last month. As a result of this breach, 3CX’s software was compromised, with many customers\r\ninadvertently downloading malicious versions of the company’s voice and video calling software DesktopApp. In\r\naddition to wider victims, Symantec has also discovered additional indicators of compromise, listed below.\r\nIt appears likely that the X_Trader supply chain attack is financially motivated, since Trading Technologies, the\r\ndeveloper of X_Trader, facilitates futures trading, including energy futures. Nevertheless, the compromise of\r\ncritical infrastructure targets is a source of concern. North Korean-sponsored actors are known to engage in both\r\nespionage and financially motivated attacks and it cannot be ruled out that strategically important organizations\r\nbreached during a financial campaign are targeted for further exploitation.\r\nMalicious Installer\r\nThe infection chain starts with the Trojanized installer named X_TRADER_r7.17.90p608.exe (SHA256:\r\n900b63ff9b06e0890bf642bdfcbfcc6ab7887c7a3c057c8e3fd6fba5ffc8e5d6), which is digitally signed by \"Trading\r\nTechnologies International, Inc.\" and contains a malicious executable named Setup.exe. Our analysis of one\r\nversion of this executable (SHA256: aa318070ad1bf90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43)\r\nfound that when executed, it examined the file named X_TRADER-ja.mst (also contained in the installer) for the\r\nfollowing marker bytes at hardcoded offset 0x167000:\r\n5E DA F3 76\r\nIf the marker bytes are present, it creates a folder named:\r\nC:\\Programdata\\TPM\r\nIt then copies the file C:\\Windows\\Sysnative\\immersivetpmvscmgrsvr.exe as\r\nC:\\Programdata\\TPM\\TpmVscMgrSvr.exe to the new folder.\r\nNext, it will drop two malicious DLLs:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain\r\nPage 1 of 4\n\nC:\\Programdata\\TPM\\winscard.dll (SHA256:\r\ncc4eedb7b1f77f02b962f4b05278fa7f8082708b5a12cacf928118520762b5e2)\r\nC:\\Programdata\\TPM\\msvcr100.dll (SHA256:\r\nd937e19ccb3fd1dddeea3eaaf72645e8cd64083228a0df69c60820289b1aa3c0)\r\nThe content of the dropped files is generated by decrypting chunks of the file X_TRADER-ja.mst mentioned\r\nearlier using the XOR algorithm with the following key:\r\n74 F2 39 DA E5 CF\r\nTo achieve persistence on the victim’s system, the malware invokes a CLSID_TaskScheduler COM object,\r\npossibly to create a scheduled task to run periodically the following file:\r\nC:\\Programdata\\TPM\\TpmVscMgrSvr.exe\r\nSetup.exe then drops a file named X_TRADER.exe, also contained within the installer. The content of the dropped\r\nfile is generated by decrypting chunks from one of its own portable executable resources starting at hardcoded\r\noffset 0x1CB40 using the XOR algorithm with the following key:\r\n74 F2 39 DA E5 CF\r\nSetup will then execute X_Trader.exe before deleting itself.\r\nBackdoor Installation\r\nOnce installed, the legitimate X_Trader executable side-loads the two malicious DLLs dropped by the installer.\r\nThe first, winscard.dll, acts as a loader and contains code that will load and execute a payload from the second\r\n(msvcr100.dll). The msvcr100.dll file contains an encrypted blob appended to the file. The blob starts with the hex\r\nvalue FEEDFACE, which the loader uses to find the blob.\r\nThe process for payload installation is almost identical as that seen with the Trojanized 3CX app, where two side-loaded DLLs are used to extract a payload from an encrypted blob.\r\nIn this attack, the payload extracted is a modular backdoor called Veiledsignal (SHA256:\r\ne185c99b3d1085aed9fda65a9774abd73ecf1229f14591606c6c59e9660c4345). Veiledsignal contains another DLL\r\n(SHA256: 19442d9e476e3ef990ce57b683190301e946ccb28fc88b69ab53a93bf84464ae), which is a process-injection module. This can be injected into the Chrome, Firefox, or Edge web browsers. The module contains a\r\nsecond DLL (SHA256: f8c370c67ffb3a88107c9022b17382b5465c4af3dd453e50e4a0bd3ae9b012ce), which is a\r\ncommand-and-control (C\u0026C) module. It connects to the following C\u0026C URL:\r\nhttps://www.tradingtechnologies.com/trading/order-management\r\nHydra-like Campaign\r\nThe discovery that 3CX was breached by another, earlier supply chain attack made it highly likely that further\r\norganizations would be impacted by this campaign, which now transpires to be far more wide-ranging than\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain\r\nPage 2 of 4\n\noriginally believed. The attackers behind these breaches clearly have a successful template for software supply\r\nchain attacks and further, similar attacks cannot be ruled out.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\n900b63ff9b06e0890bf642bdfcbfcc6ab7887c7a3c057c8e3fd6fba5ffc8e5d6 - Trojanized installer\r\n(X_TRADER_r7.17.90p608.exe)\r\n6e989462acf2321ff671eaf91b4e3933b77dab6ab51cd1403a7fe056bf4763ba – Possible Trojanized installer\r\naa318070ad1bf90ed459ac34dc5254acc178baff3202d2ea7f49aaf5a055dd43 - Malicious component of Trojanized\r\ninstaller (setup.exe)\r\n6e11c02485ddd5a3798bf0f77206f2be37487ba04d3119e2d5ce12501178b378 - Malicious component of\r\nTrojanized installer (setup.exe)\r\n47a8e3b20405a23f7634fa296f148cab39a7f5f84248c6afcfabf5201374d1d1 - Benign Windows executable used for\r\nside-loading (tpmvscmgrsvr.exe)\r\ncc4eedb7b1f77f02b962f4b05278fa7f8082708b5a12cacf928118520762b5e2 – Veiledsignal loader (winscard.dll)\r\n277119738f4bdafa1cde9790ec82ce1e46e04cebf6c43c0e100246f681ba184e – Veiledsignal loader (devobj.dll)    \r\ncb374af8990c5f47b627596c74e2308fbf39ba33d08d862a2bea46631409539f – Malicious DLL (msvcr100.dll)\r\nd937e19ccb3fd1dddeea3eaaf72645e8cd64083228a0df69c60820289b1aa3c0 – Malicious DLL (msvcr100.dll)\r\ne185c99b3d1085aed9fda65a9774abd73ecf1229f14591606c6c59e9660c4345 - Veiledsignal main component\r\n19442d9e476e3ef990ce57b683190301e946ccb28fc88b69ab53a93bf84464ae - Veiledsignal process-injection\r\nmodule\r\nf8c370c67ffb3a88107c9022b17382b5465c4af3dd453e50e4a0bd3ae9b012ce - Veiledsignal communications\r\nmodule\r\nhttps://www.tradingtechnologies[.]com/trading/order-management - Veiledsignal C\u0026C server\r\n\\\\.\\pipe\\gecko.nativeMessaging.in.foo8bc16e6288f2a -Veiledsignal named pipe\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54\r\nSafari/537.36 Edg/95.0.1020.40 - Veiledsignal user agent\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain\r\nPage 3 of 4\n\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain"
	],
	"report_names": [
		"xtrader-3cx-supply-chain"
	],
	"threat_actors": [],
	"ts_created_at": 1775434906,
	"ts_updated_at": 1775826762,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b21f09c123878360411e88d5e063a9458c59ca2.pdf",
		"text": "https://archive.orkl.eu/4b21f09c123878360411e88d5e063a9458c59ca2.txt",
		"img": "https://archive.orkl.eu/4b21f09c123878360411e88d5e063a9458c59ca2.jpg"
	}
}