{ "id": "6fcf59eb-de7d-46d0-b5c9-69f139f72184", "created_at": "2026-04-06T00:10:10.457717Z", "updated_at": "2026-04-10T03:28:31.561956Z", "deleted_at": null, "sha1_hash": "78c8c4b4a488fb04e698c965515fea6c4cece65f", "title": "Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 198591, "plain_text": "Not just an infostealer: Gopuram backdoor deployed through 3CX\r\nsupply chain attack\r\nBy Georgy Kucherin\r\nPublished: 2023-04-03 · Archived: 2026-04-02 10:35:32 UTC\r\nOn March 29, Crowdstrike published a report about a supply chain attack conducted via 3CXDesktopApp, a\r\npopular VoIP program. Since then, the security community has started analyzing the attack and sharing their\r\nfindings. The following has been discovered so far:\r\nThe infection is spread via 3CXDesktopApp MSI installers. An installer for macOS has also been\r\ntrojanized.\r\nThe malicious installation package contains an infected dll library that decrypts a shellcode from the\r\nd3dcompiler_47.dll library’s overlay and executes it.\r\nThe decrypted payload extracts C2 server URLs from icons stored in a GitHub repository (the repository is\r\nremoved).\r\nThe payload connects to one of the C2 servers, downloads an infostealer and starts it.\r\nThe infostealer collects system information and browser history, then sends it to the C2 server.\r\nAs we reviewed available reports on the 3CX attack, we began wondering if the compromise concluded with the\r\ninfostealer or further implants followed. To answer that question, we decided to review the telemetry we had on\r\nthe campaign. On one of the machines, we observed a DLL named guard64.dll, which was loaded into the infected\r\n3CXDesktopApp.exe process. Interestingly enough, we opened an investigation into a case linked to that DLL on\r\nMarch 21, about a week before the supply chain attack was discovered. A DLL with that name was used in recent\r\ndeployments of a backdoor that we dubbed “Gopuram” and had been tracking internally since 2020. Three years\r\nago, we were investigating an infection of a cryptocurrency company located in Southeast Asia. During the\r\ninvestigation, we found that Gopuram coexisted on victim machines with AppleJeus, a backdoor attributed to the\r\nKorean-speaking threat actor Lazarus.\r\nOver the years, we observed few victims compromised with Gopuram, but the number of infections began to\r\nincrease in March 2023. As it turned out, the increase was directly related to the 3CX supply chain attack. We\r\nfound out that the threat actor specifically targeted cryptocurrency companies, dropping the following files on\r\ninfected machines:\r\nC:\\Windows\\system32\\wlbsctrl.dll, a malicious library (MD5: 9f85a07d4b4abff82ca18d990f062a84);\r\nC:\\Windows\\System32\\config\\TxR\\\u003cmachine hardware profile GUID\u003e.TxR.0.regtrans-ms, an encrypted\r\nshellcode payload.\r\nOnce dropped, wlbsctrl.dll becomes loaded on every startup by the IKEEXT service via DLL hijacking. We\r\nfurther saw DLLs with the names ualapi.dll and ncobjapi.dll being sideloaded into spoolsv.exe and svchost.exe,\r\nrespectively.\r\nhttps://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/\r\nPage 1 of 4\n\nThe wlbsctrl.dll library is responsible for decrypting and executing the shellcode stored in the\r\nC:\\Windows\\System32\\config\\TxR directory. The decryption is notably performed through the\r\nCryptUnprotectData API function that uses a different encryption key internally on every machine. This makes it\r\ndifficult for researchers to decrypt the payload from the file without physical access to the victim machines.\r\nSnippet of the loading function using CryptUnprotectData\r\nThe component loaded by the library is Gopuram’s main module. As mentioned above, its name in the export\r\ndirectory is guard64.dll. The job of the main module is to connect to a C2 server and request commands. The\r\nbackdoor implements commands that allow the attackers to interact with the victim’s file system and create\r\nprocesses on the infected machine. Gopuram was additionally observed to launch in-memory modules. Just like\r\nthe implants used in the 3CX campaign, Gopuram’s modules are DLL files that include an export function named\r\nDllGetClassObject. We have observed nine modules so far:\r\nModule\r\nname\r\nDescription\r\nPing Pings a host specified in the argument.\r\nConnect Connects to a given host via a socket and waits for the server to send data.\r\nRegistry Manipulates registry (lists, adds, deletes and exports keys).\r\nService Manipulates (creates, lists, starts, stops and deletes) services.\r\nTimestomp Performs timestomping on files.\r\nInject\r\nPerforms payload injections through syscalls via mapping a shellcode to a remote process and\r\ncreating a remote thread.\r\nhttps://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/\r\nPage 2 of 4\n\nKDU\r\nKernel Driver Utility that allows an attacker to bypass driver signature enforcement. The\r\nutility is used to load an unsigned driver (MD5: F684E10FF1FFCDD32C62E73A11382896).\r\nThe driver collects information about installed AV filters and writes it to the\r\nC:\\Windows\\System32\\catroot2\\edb.chk.log file.\r\nUpdate\r\nEncrypts a provided payload and writes it to the C:\\Windows\\System32\\config\\TxR\\\u003cmachine\r\nhardware profile GUID\u003e.TxR.0.regtrans-ms file.\r\nNet\r\nPartially implements features of the net command: management of users, groups, sessions and\r\nnetwork shares.\r\nThe discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat\r\nactor with medium to high confidence. Our attribution is based on the following facts:\r\nWhile investigating an attack on a Southeast Asian cryptocurrency company in 2020, we found Gopuram\r\ncoexisting on the same machine with the AppleJeus backdoor, which is attributed to Lazarus.\r\nThe Gopuram backdoor has been observed in attacks on cryptocurrency companies, which is aligned with\r\nthe interests of the Lazarus threat actor.\r\nWhile looking for additional implants that used the same loader shellcode as the 3CX implants, we\r\ndiscovered a sample on a multiscanner service (MD5: 933508a9832da1150fcfdbc1ca9bc84c) loading a\r\npayload that uses the wirexpro[.]com C2 server. The same server is listed as an IoC for an AppleJeus\r\ncampaign by Malwarebytes.\r\nFirst bytes of the loader shellcode used in 3CX and AppleJeus\r\nhttps://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/\r\nPage 3 of 4\n\nNote, though, that the shellcode is based on open-source code that has been used by other threat actors, for\r\nexample, SilentBreak. Still, the use of that shellcode along with the 0xF558F4DA constant (which is the\r\nROR13 hash for the string DllGetClassObject) is a more unique pattern.\r\nWhile investigating a malicious MSI file (MD5: ec3f99dd7d9dbce8d704d407b086e84f) that has been\r\nuploaded to a multiscanner service, we observed the following two events:\r\nThe dll library dropped from the MSI was observed to launch an in-memory payload that contacts\r\nthe oilycargo[.]com domain. This domain name has previously been attributed to Lazarus by\r\nmultiple researchers.\r\nIn our telemetry, we observed AvBugReport.exe, the executable hosting dll, to contain Gopuram’s\r\nmain module payload, guard64.dll.\r\nThese four facts allow us to conclude that Lazarus is likely the threat actor deploying the Gopuram backdoor.\r\nAs for the victims in our telemetry, installations of the infected 3CX software are located all over the world, with\r\nthe highest infection figures observed in Brazil, Germany, Italy and France.\r\nAs the Gopuram backdoor has been deployed to less than ten infected machines, it indicates that attackers used\r\nGopuram with surgical precision. We additionally observed that the attackers have a specific interest in\r\ncryptocurrency companies.\r\nAs it turns out, the infostealer is not the only malicious payload deployed during the 3CX supply chain attack. The\r\nthreat actor behind Gopuram additionally infects target machines with the full-fledged modular Gopuram\r\nbackdoor. We believe that Gopuram is the main implant and the final payload in the attack chain. Our\r\ninvestigation of the 3CX campaign is still far from complete. We will continue analyzing the deployed implants to\r\nfind out more details about the toolset used in the supply chain attack.\r\nGopuram indicators of compromise\r\nMD5 hashes\r\n9f85a07d4b4abff82ca18d990f062a84\r\n96d3bbf4d2cf6bc452b53c67b3f2516a\r\nFile paths\r\nC:\\Windows\\System32\\config\\TxR\\\u003cmachine hardware profile GUID\u003e.TxR.0.regtrans-ms\r\nC:\\Windows\\system32\\catroot2\\edb.chk.log\r\nMore indicators of compromise and YARA rules for detecting Gopuram components are available for TIP\r\nsubscribers. Contact intelreports@kaspersky.com for more details.\r\nSource: https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/\r\nhttps://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/" ], "report_names": [ "109344" ], "threat_actors": [ { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434210, "ts_updated_at": 1775791711, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/78c8c4b4a488fb04e698c965515fea6c4cece65f.pdf", "text": "https://archive.orkl.eu/78c8c4b4a488fb04e698c965515fea6c4cece65f.txt", "img": "https://archive.orkl.eu/78c8c4b4a488fb04e698c965515fea6c4cece65f.jpg" } }