{
	"id": "dd9a92be-48e6-49a1-876e-4741be5d0137",
	"created_at": "2026-04-06T00:11:30.316228Z",
	"updated_at": "2026-04-10T03:21:57.27686Z",
	"deleted_at": null,
	"sha1_hash": "6f86532c7ebf174f48ba45d420151e5c805fc2e9",
	"title": "3CX supply chain attack analysis | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5103436,
	"plain_text": "3CX supply chain attack analysis | ThreatLabz\r\nBy Rohit Hegde, Niraj Shivtarkar, Meghraj Nandanwar\r\nPublished: 2023-03-31 · Archived: 2026-04-05 20:33:42 UTC\r\nInfection Chain\r\nFig.2 -  Infection Chain\r\nThe Infection chain begins with the software update routine where the 3CXDesktopApp calls the “Update.exe --\r\nupdate ” from its bundle to fetch the updates. This then downloads the valid signed Malicious 3CX MSI installer\r\nand the Affected 3CX MAC Application as required in the form of an update package on the victim's machine as\r\nshown in the screenshot below.\r\nFig.3 - Requests to 3CX domain to download the Affected 3CX MSI installer v18.12.416 \u0026 3CX Mac App\r\nv18.12.416 as an Update Package\r\nIn this blog, we will take a look at the affected valid signed 3CX MSI Installer version 18.12.416 named\r\n“3CXDesktopApp-18.12.416.msi” which is signed on March 13, 2023.\r\nhttps://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023\r\nPage 1 of 11\n\nFig.4 -  Signed 3CX MSI Installer\r\nUpon execution the 3CX MSI installer extracts multiple files in the “AppData\\Local\\Programs\\3CXDesktopApp”\r\nand then executes the valid signed 3CXDesktopApp.exe as shown below in the screenshot.\r\nhttps://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023\r\nPage 2 of 11\n\nFig.5 -  Execution of 3CXDesktopApp\r\nFurther the 3CXDesktopApp.exe side loads the Backdoored signed DLL named “ffmpeg.dll” as based on the DLL\r\nsearch order mechanism if the DLL is present in the applications directory the DLL is loaded from there as shown\r\nin the screenshot.\r\nhttps://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023\r\nPage 3 of 11\n\nFig.6 -  3CXDesktopApp sideloads the Backdoored “ffmpeg.dll”\r\nBased on reports, the ffmpeg.dll was backdoored by the Threat Actors via manipulating the source code leading to\r\nthe Supply Chain Attack. Once loaded into the virtual memory, the malicious “ffmpeg.dll” is commissioned to\r\nload the d3dcompiler_47.dll which contains the encrypted second stage payload. Initially the main function\r\ncreates an event called \"AVMonitorRefreshEvent\" and checks if it already exists. If it does, it exits.\r\nFig.7 - Main function of ffmpeg.dll\r\nhttps://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023\r\nPage 4 of 11\n\nAfter that it checks the current path in order to load the d3dcompiler_47.dll into memory and further loads the\r\nDLL into memory and checks if the DLL loaded correctly by comparing the starting byte of DLL.\r\nFig.8 - Load d3dcompiler_47.dll and check for starting byte of DLL\r\nIn this case the d3dcompiler_47.dll consisting of the RC4 encrypted shellcode and embedded DLL is valid signed\r\nby the Microsoft Digital certificate as shown in the screenshot below.\r\nFig.9 - Microsoft signed d3dcompiler_47.dll \r\nFurther in the infection chain, the ffmpeg.dll looks for the specific hex byte (FE ED FA CE) in the loaded\r\nd3dcompiler_47.dll which contains a second stage encrypted payload.\r\nhttps://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023\r\nPage 5 of 11\n\nFig.10 - Look for specific hex byte (FE ED FA CE) in loaded d3dcompiler_47.dll\r\nAfter it locates the specific hex in loaded d3dcompiler_47.dll, it uses the RC4 decryption with the key\r\n“3jB(2bsG#@c7” to decrypt the second stage payload which is a shellcode with embedded DLL. The shellcode is\r\nresponsible for calling the export function “DllGetClassObject” of the second stage DLL to execute and\r\ndownload further stage payload.\r\nhttps://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023\r\nPage 6 of 11\n\nFig.11 - Decryption of second stage payload \r\nhttps://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023\r\nPage 7 of 11\n\nFig.12 - Decrypted second stage payload \r\nThe Stage-2 DLL further downloads the Icon file from the following Github repository as shown below. We\r\nobserved in some cases that the second stage decrypted DLL would sleep for more than 7 days before\r\ncommunicating with the C2 server.\r\nFig.13 - Second Stage payload downloads icon files from GitHub Repository \r\nThe github repository consists of multiple icon files as shown below. These icons are been downloaded by the\r\nStage-2 DLL.\r\nhttps://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023\r\nPage 8 of 11\n\nFig.14 -  Github Repository hosting multiple icon files.\r\nFurther the Stage-2 DLL reads the icon file and parses the encrypted string present at the end of the downloaded\r\nicon file and passes it to the ico_decryption() function.\r\nFig.15 -  Parsing of the Encrypted string in the ICON File\r\nThe encrypted string from the icon file is base64 decoded and then passed to a decryption routine as shown below\r\nin the screenshot.The decrypted string in this case is the C2 URL: https[:]//glcloudservice[.]com/v1/console\r\nhttps://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023\r\nPage 9 of 11\n\nFig.16 -  Decryption of C2 URL from the encrypted string parsed via the ICON File\r\nFurther the malware performs HTTPS requests to the C2 URL as shown in the screenshot below from the Zscaler\r\nCloud.\r\nFig.17 -  HTTPS Requests to the C2 URL seen in the Zscaler Cloud\r\nAt the time of analysis the C2 Domains were down. The expected response would be in JSON format consisting\r\nof encrypted data which is then decrypted by the decryption routine before the final payload is executed on the\r\ninfected machine.\r\nBased on the blog published by Sentinel One, the final payload delivered on the target machines in the supply\r\nchain attack was an Infostealer with capabilities such as collecting system information and browser information\r\nsuch as saved credentials from the Brave, Chrome, Edge, and Firefox\r\nhttps://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023\r\nPage 10 of 11\n\nSource: https://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023\r\nhttps://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023"
	],
	"report_names": [
		"3CX-supply-chain-attack-analysis-march-2023"
	],
	"threat_actors": [],
	"ts_created_at": 1775434290,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6f86532c7ebf174f48ba45d420151e5c805fc2e9.pdf",
		"text": "https://archive.orkl.eu/6f86532c7ebf174f48ba45d420151e5c805fc2e9.txt",
		"img": "https://archive.orkl.eu/6f86532c7ebf174f48ba45d420151e5c805fc2e9.jpg"
	}
}