{
	"id": "c7ab16af-3c58-480c-ba99-7d9892d45d3a",
	"created_at": "2026-04-06T00:16:43.63779Z",
	"updated_at": "2026-04-10T03:20:46.106193Z",
	"deleted_at": null,
	"sha1_hash": "792289767890a6dee5bb476a304c8837e7e42e1c",
	"title": "Information on Attacks Involving 3CX Desktop App",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 655079,
	"plain_text": "Information on Attacks Involving 3CX Desktop App\r\nBy By: Trend Micro Research Mar 30, 2023 Read time: 7 min (1870 words)\r\nPublished: 2023-03-30 · Archived: 2026-04-05 14:08:37 UTC\r\nMalware\r\nPreventing and Detecting Attacks Involving 3CX Desktop App\r\nIn this blog entry, we provide technical details and analysis on the 3CX attacks as they happen. We also discuss available\r\nsolutions which security teams can maximize for early detection and mitigate the impact of 3CX attacks.\r\nUpdated on:\r\nApril 5, 2:39 a.m. EDT: We added Windows, Mac, and network commands to the Trend Micro Vision One™️ guide in\r\nthe linked PDF.\r\nApril 4, 3:29 a.m. EDT: We added Trend Micro XDR filters to the solutions.\r\nApril 3, 2:33 a.m. EDT: We added details on d3dcompiler_47.dll's abuse of CVE-2013-3900 to make it appear\r\nlegitimately signed.\r\nApril 1, 1:50 a.m. EDT: We added a guide on how Vision One can be used to search for potential threats associated\r\nwith the 3CX desktop app. \r\nMarch 31, 11:07 p.m. EDT: We added technical details, an analysis of the info-stealer payload, and information on\r\nTrend Micro XDR capabilities for investigating and mitigating risks associated with the 3CX desktop app.\r\nMarch 31, 3:00 a.m. EDT: We added the execution flow diagram, a link to Trend Micro support page, and a list of\r\nMac IOCs and detection names.\r\n \r\nIn late March 2023, security researchers revealed that threat actors abused a popular business communication software from\r\n3CX — in particular, the reports mention that a version of the 3CX VoIP (Voice over Internet Protocol) desktop client was\r\nbeing employed to target 3CX's customers as part of an attack.\r\nOn its forums, 3CX has posted an update that recommends uninstalling the desktop app and using the Progressive Web App\r\n(PWA) client instead. The company also mentioned that they are working on an update to the desktop app.\r\nFor a more comprehensive scope of protection against possible attacks associated with the 3CX Desktop App, the Trend\r\nMicro XDR platform can help organizations mitigate the impact by collecting and analyzing extensive activity data from\r\nvarious sources. By applying XDR analytics to the data gathered from its native products, Trend Micro XDR generates\r\ncorrelated and actionable alerts.  \r\nTrend Micro customers can also take advantage of Trend Micro Vision One™ to search for and monitor potential threats\r\nassociated with the 3CX Desktop App, and to better understand observed attack vectors. For more information on how to\r\nutilize Trend Micro Vision One features, you may download the PDF guide here.\r\nAdditional guidance for Trend Micro customers including help with protection and detection can be found on our support\r\npage.\r\nWhat is the compromised application?\r\nThe 3CX app is a private automatic branch exchange (PABX) software that provides several communication functions for its\r\nusers, including video conferencing, live chat, and call management. The app is available on most major operating systems,\r\nincluding Windows, macOS, and Linux. Additionally, the client is available as a mobile application for both Android and\r\niOS devices, while a Chrome extension and the PWA version of the client allow users to access the software through their\r\nbrowsers.\r\nThe issue was said to be limited to the Electron (non-web versions) of their Windows package (versions 18.12.407 and\r\n18.12.416) and macOS clients (versions 18.11.1213, 18.12.402, 18.12.407 and 18.12.416).\r\nAccording to the company’s website, more than 600,000 businesses and over 12 million daily users around the world use\r\n3CX's VoIP IPBX software.\r\nhttps://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html\r\nPage 1 of 8\n\nHow does the attack work?\r\nThe attack is reportedly a multi-stage chain in which the initial step involves a compromised version of the 3CX desktop\r\napp. Based on initial analysis, the MSI package (detected by Trend Micro as Trojan.Win64.DEEFFACE.A and\r\nTrojan.Win64.DEEFFACE.SMA) is the one that is compromised with possible trojanized DLLs, since the .exe file has the\r\nsame name.\r\nThe infection chain begins with 3CXDesktopApp.exe loading ffmpeg.dll (detected as Trojan.Win64.DEEFFACE.A\r\nandTrojan.Win64.DEEFFACE.SMA). Next, ffmpeg.dll reads and decrypts the encrypted code from d3dcompiler_47.dll\r\n(detected as Trojan.Win64.DEEFFACE.A and Trojan.Wind64.DEEFACE.SMD3D).\r\nThe decrypted code seems to be the backdoor payload that tries to access the IconStorages GiHub page to access an ICO file\r\n(detected as Trojan.Win32.DEEFFACE.ICO) containing the encrypted C\u0026C server that the backdoor connects to in order to\r\nretrieve the possible final payload. In addition, d3dcompiler_47.dll also abuses CVE-2013-3900open on a new tab to make it\r\nappear that it is legitimately signed.\r\nopen on a new tab\r\nFigure 1. The detailed execution flow and Trend Micro detections of the malicious files. The MSI installer\r\ncontains the .exe and two .dll files. The main source of the detection in the MSI installer is \"ffmpeg.dll,\"\r\nwhich is the trojanized DLL.\r\nhttps://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html\r\nPage 2 of 8\n\nAs part of its attack routine, it contacts the servers noted in the list of indicators of compromise (IOCs) at the end of this\r\nblog entry. These domains are blocked by the Trend Micro Web Reputation Services (WRS).\r\nUpon execution, the MSI package installer will drop the following files that are related to malicious behavior. Trend Micro\r\nSmart Scan Pattern (cloud-based) TBL 21474.300.40 can detect these files as Trojan.Win64.DEEFFACE.A.\r\n3CXDesktopApp.exe: A normal file that is abused to load the trojanized DLL\r\nffmpeg.dll: A trojanized DLL used to read, load, and execute a malicious shellcode from d3dcompiler_47.dll\r\nd3dcompiler_47.dll: A DLL appended with an encrypted shellcode after the fe ed fa ce hex string\r\nSome conditions are necessary for execution. For example, the sleep timestamp varies depending on the following\r\nconditions: First, it checks if the manifest file is present, as well as if it is using a specified date. If the file is not present or if\r\nit is using the specified date, the timestamp will generate a random number and use the formula rand() % 1800000 + current\r\ndate + 604800 (604,800 is seven days).  After the date is computed, the malware will continue its routine.\r\nUpon execution of 3CXDesktopApp.exe, ffmpeg.dll, which seems to be a trojanized or patched DLL, will be loaded. It will\r\nstill contain its normal functionalities, but it will have an added malicious function that reads d3dcompiler_47.dll to locate\r\nan encrypted shellcode after the fe ed fa ce hex strings.\r\nFigure 2. Reading \"d3dcompiler_47.dll\" and locating the “fe ed fa ce” hex string\r\nUpon decryption of the malicious shellcode using RC4 with the key, 3jB(2bsG#@c7, the shellcode will then try to access the\r\nGitHub repository that houses the ICO files containing the encrypted C\u0026C strings that use Base64 encoding and AES +\r\nGCM encryption at the end of the image.\r\nThese B64 strings seem to be C\u0026C domains that the shellcode tries to connect to for downloading other possible payloads.\r\nHowever, we were unable to confirm the exact nature of these payloads since the GitHub repository\r\n(raw.githubusercontent[.]com/IconStorages/images/main/) had already been taken down at the time of this writing. Note that\r\nthe process exits when the page is inaccessible.\r\nFigure 3. Code snippet showing the hard-coded GitHub repository\r\nhttps://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html\r\nPage 3 of 8\n\nFigure 4. An ICO file from the GitHub repository\r\nThe above description applies to the Windows version. The behaviour of the Mac version is broadly similar, although it only\r\nuses a subset of the Windows C\u0026C domains.\r\nInfo-stealer payload analysis\r\nBased on our ongoing analysis of attacks on 3CX and the behaviors observed, the following section details what we know so\r\nfar about the payload’s attack vector. \r\nPayloads in investigated 3CX attacks are detected as TrojanSpy.Win64.ICONICSTEALER.THCCABC. Upon analysis of\r\nthe payload named ICONIC Stealer, we discovered that if it is executed using regsvr32.exe as the DLL loader, it will display\r\nthe following system error:\r\nFigure 5. Error displayed upon executing the sample using \"regsvr32.exe\"\r\nMeanwhile, if rundll32.exe is used as the DLL loader, it encounters a WerFault error and displays the following pop-up\r\nmessage:\r\nFigure 6. Error displayed if \"rundll32.exe\" is used as the DLL loader\r\nThis indicates that the sample must be loaded by a specific application to proceed to its malicious routine.\r\nICONIC Stealer then checks for a file named config.json under the folder \"3CXDesktopApp.\"\r\nFigure 7. Checking for \"config.json\"\r\nICONIC Stealer was then observed to steal the following system information:\r\nhttps://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html\r\nPage 4 of 8\n\nHostName\r\nDomainName\r\nOsVersion\r\nThe gathered data will then be converted into a text-string format.\r\nFigure 8. Converting gathered data into a text-string format\r\nICONIC Stealer then proceeds to its last behavior, which steals browser data. It uses the function shown in Figure 9 to\r\ntraverse the infected system using predefined directories related to the browser’s history and other browser-related\r\ninformation.\r\nFigure 9. Function for traversing the infected system\r\nhttps://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html\r\nPage 5 of 8\n\nThe following figure shows a list of predefined strings:\r\nFigure 10. List of predefined strings\r\nThe system directories on the following list compose the targets identified in the partial analysis of the ICONIC Stealer’s\r\nbehavior. More information will be provided as this blog is updated. \r\nAppData\\Local\\Google\\Chrome\\User Data\r\n \r\nAppData\\Local\\Microsoft\\Edge\\User Data\r\n \r\nAppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\r\n \r\nAppData\\Roaming\\Mozilla\\Firefox\\Profiles\r\nBrowser Target information\r\nChrome History\r\nEdge History\r\nBrave History\r\nFirefox places.sqlite\r\nTable 1. The targeted section of each browser. Note that \"places.sqlite\" stores the annotations, bookmarks, favorite icons, input history, keywords, and\r\nthe browsing history of visited pages for Mozilla Firefox.\r\nICONIC Stealer was also found with the capability to limit the retrieved data to the first five hundred entries to ensure that\r\nthe most recent browser activity is the data that is retrieved:\r\nFigure 11. Limiting data to the first 500 entries\r\n\"UTF-16LE\", 'SELECT url, title FROM urls ORDER BY id DESC LIMIT\r\n\"UTF-16LE\", '500',0\r\n\"UTF-16LE\", 'SELECT url, title FROM moz_places ORDER BY id DESC\r\n\"UTF-16LE\", 'LIMIT 500',0\r\nFigure 12. Retrieved results stored on an allocated buffer\r\nThe gathered data will be passed to the main loader module to POST then back to the C\u0026C server embedded in the main\r\nmodule.\r\nhttps://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html\r\nPage 6 of 8\n\nWhat is its potential impact?\r\nDue to its widespread use and its importance in an organization’s communication system, threat actors can cause major\r\ndamage (for example, by monitoring or rerouting both internal and external communication) to businesses that use this\r\nsoftware.\r\nWhat can organizations do about it?\r\nOrganizations that are potentially affected should stop using the vulnerable version if possible and apply the patches or\r\nmitigation workarounds if these are available. IT and security teams should also scan for confirmed compromised binaries\r\nand builds and monitor for anomalous behavior in 3CX processes, with a particular focus on C\u0026C traffic. \r\nMeanwhile, enabling behavioral monitoring in security products can help detect the presence of the attack within the system.\r\nIndicators of Compromise (IOCs)\r\nSHA256\r\nFile name /\r\ndetails\r\nDetection name\r\ndde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc\r\nInstaller: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868\r\n3cxdesktopapp-18.12.407.msi\r\n(Windows)\r\nTrojan.Win64.DEEFFACE.A\r\nfad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405\r\nInstaller: 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983\r\n(Windows) Trojan.Win64.DEEFFACE.A\r\nc485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02 ffmpeg.dll  Trojan.Win64.DEEFFACE.A\r\n7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896 ffmpeg.dll  Trojan.Win64.DEEFFACE.A\r\n11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03 d3dcompiler.dll Trojan.Win64.DEEFFACE.A\r\n4e08e4ffc699e0a1de4a5225a0b4920933fbb9cf123cde33e1674fde6d61444f   Trojan.Win32.DEEFFACE.ICO\r\n8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423  Stealer TrojanSpy.Win64.ICONICSTEAL\r\nHere is the list of IOCs for Mac users: \r\nSHA256 File name Detection name\r\n5a017652531eebfcef7011c37a04f11621d89084f8f9507201f071ce359bea3f\r\n3CX Desktop\r\nApp-darwin-x64-\r\n18.11.1213.zip\r\nTrojan.MacOS.FAKE3L3CTRON.A\r\n5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290\r\n3CXDesktopApp-18.11.1213.dmg\r\nTrojan.MacOS.FAKE3L3CTRON.A\r\nfee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7 libffmpeg.dylib Trojan.MacOS.FAKE3L3CTRON.A\r\n5009c7d1590c1f8c05827122172583ddf924c53b55a46826abf66da46725505a\r\nchild macho file\r\nof\r\nlibffmpeg.dylib\r\nTrojan.MacOS.FAKE3L3CTRON.A\r\ne6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec\r\n3CXDesktopApp-18.12.416.dmg\r\nTrojan.MacOS.FAKE3L3CTRON.A\r\na64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67 libffmpeg.dylib Trojan.MacOS.FAKE3L3CTRON.A\r\n87c5d0c93b80acf61d24e7aaf0faae231ab507ca45483ad3d441b5d1acebc43c\r\nchild macho file\r\nof\r\nlibffmpeg.dylib\r\nTrojan.MacOS.FAKE3L3CTRON.A\r\nThe following domains are blocked by Trend Micro Web Reputation Services (WRS)\r\nakamaicontainer[.]com\r\nakamaitechcloudservices[.]com\r\nhttps://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html\r\nPage 7 of 8\n\nazuredeploystore[.]com\r\nazureonlinecloud[.]com\r\nazureonlinestorage[.]com\r\ndunamistrd[.]com\r\nglcloudservice[.]com\r\njournalide[.]org\r\nmsedgepackageinfo[.]com\r\nmsstorageazure[.]com\r\nmsstorageboxes[.]com\r\nofficeaddons[.]com\r\nofficestoragebox[.]com\r\npbxcloudeservices[.]com\r\npbxphonenetwork[.]com\r\npbxsources[.]com\r\nqwepoi123098[.]com\r\nsbmsa[.]wiki\r\nsourceslabs[.]com\r\nvisualstudiofactory[.]com\r\nzacharryblogs[.]com\r\nTrend Micro XDR uses the following filters to protect customers from 3CX-related attacks:\r\nFilter ID OS\r\nCompromised 3CX Application File Indicators F6669 macOS, Windows\r\nDLL Sideloading of 3CX Application F6668 Windows\r\nWeb Reputation Services Detection for Compromised 3CX Application F6670 macOS, Windows\r\nSuspicious Web Access of Possible Compromised 3CX Application F6673 Windows\r\nSuspicious DNS Query of Possible Compromised 3CX Application F6672 Windows\r\nTrend Micro Malware Detection Patterns for Endpoint, Servers (Apex One, Worry-Free Business Security Services,\r\nWorry-Free Business Security Standard/Advanced, Deep Security with anti-malware, among others), Mail, and\r\nGateway (Cloud App Security, ScanMail for Exchange, IMSVA):\r\nStarting with Trend Micro Smart Scan Pattern (cloud-based) TBL 21474.200.40, known trojanized versions of this\r\napplication are being detected as Trojan Win64.DEEFFACE.A. \r\nThe Mac version of this threat is detected as Trojan.MacOS.FAKE3L3CTRON.A.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html\r\nhttps://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html"
	],
	"report_names": [
		"information-on-attacks-involving-3cx-desktop-app.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434603,
	"ts_updated_at": 1775791246,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/792289767890a6dee5bb476a304c8837e7e42e1c.pdf",
		"text": "https://archive.orkl.eu/792289767890a6dee5bb476a304c8837e7e42e1c.txt",
		"img": "https://archive.orkl.eu/792289767890a6dee5bb476a304c8837e7e42e1c.jpg"
	}
}