{
	"id": "f2a9ad93-eae7-4f98-baca-36b31d6f33aa",
	"created_at": "2026-04-06T01:29:33.556908Z",
	"updated_at": "2026-04-10T13:11:31.802293Z",
	"deleted_at": null,
	"sha1_hash": "93e0a5848584c5e9e6b5b6c3500445d87a987938",
	"title": "Cyble - A Comprehensive Analysis of the 3CX Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1942293,
	"plain_text": "Cyble - A Comprehensive Analysis of the 3CX Attack\r\nBy cybleinc\r\nPublished: 2023-03-31 · Archived: 2026-04-06 00:31:50 UTC\r\nCyble Research \u0026 Intelligence Labs analyzes the recent 3CX supply chain attack and the malicious methods\r\nemployed by the attackers.\r\nInfoStealer Deployed in a Massive Supply Chain Attack\r\nAn ongoing supply chain attack has been reported, targeting customers of 3CX, a VoIP IPBX software\r\ndevelopment company. This attack has been attributed to North Korean Threat Actors (TAs). Currently, the 3CX\r\nDesktopApp can be accessed on various platforms, including Windows, macOS, Linux, and mobile.\r\nHowever, reports have indicated that the ongoing activity related to the supply chain attack has been detected on\r\nboth Windows and macOS operating systems. The attack involves a Trojanized version of the 3CX, a Voice Over\r\nInternet Protocol (VOIP) desktop client, which has been digitally signed. 3CX’s Phone System is utilized by over\r\n600,000 companies globally and has over 12 million daily users.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nThe highlights of the incident are as follows:\r\nOn March 29, a significant number of EDR providers and antivirus solutions began to identify and signal a\r\nwarning for the legitimate 3CXDesktopApp.exe binary, which was signed.\r\nThis binary had initiated an update procedure that ultimately led to malicious activity and communication\r\nwith Command-and-Control servers.\r\nhttps://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack\r\nPage 1 of 14\n\nThe 3CX download that was accessible on the official public website was infected with malware. Systems\r\nthat had already been installed would undergo updates that would ultimately result in the download of this\r\nmalware.\r\nThe attack involves a multi-stage process that starts with the 3CX desktop application.\r\nThe process of retrieving malicious payloads from GitHub involves a delay of 7 days before the download\r\ntakes place. This delay could be an attempt to evade detection by security systems monitoring suspicious\r\nactivities.\r\nAs per reports, the last stage of the attack involves stealing information. This malware can gather system\r\ndata and take control of data and login credentials stored in user profiles on various web browsers,\r\nincluding Chrome, Edge, Brave, and Firefox.\r\nBoth the Windows and macOS installers for 3CX have been impacted.\r\nAs per researchers, the evidence from GitHub indicates that the infrastructure utilized by the Windows\r\nvariant was activated on December 7, 2022.\r\nAdditionally, the domains and web infrastructure utilized in the attacks were registered as early as\r\nNovember 2022.\r\nThe 3CX Phone Management System can be implemented on-premises. Upon further investigation, we found that\r\nover 240,000 publicly exposed instances of this application.\r\nThe figure below shows the Shodan search results.\r\nFigure 1 – Exposed Instances\r\nWe also came across a Reddit post where a user reported suspicious activity that occurred after updating the 3CX\r\ndesktop on March 24, 2023. According to the user, the 3cxdesktopapp.exe program accessed browser caches, as\r\nrevealed by EDR file history data.\r\nhttps://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack\r\nPage 2 of 14\n\nFigure 2 – Reddit Post\r\nAccording to 3CX, the recent attack was a result of infected bundled libraries that were compiled into the\r\nWindows Electron App through GIT. The vendor has also stated, “Electron Windows App shipped in Update 7,\r\nversion numbers 18.12.407 \u0026 18.12.416, includes a security issue. Anti-Virus vendors have flagged the executable\r\n3CXDesktopApp.exe and in many cases uninstalled it. Electron Mac App version numbers 18.11.1213, 18.12.402,\r\n18.12.407 \u0026 18.12.416 are also affected.”\r\nThe .msi file, when executed, drops two malicious files – “ffmpeg.dll” and “d3dcompiler_47.dll” – in the location\r\nC:\\Users[user_name]\\AppData\\Local\\Programs\\3CXDesktopApp\\app.\r\nThe infection begins when the benign file “3CXDesktopApp.exe” loads “ffmpeg.dll”. Then, “ffmpeg.dll” decrypts\r\nthe encrypted code from “d3dcompiler_47.dll”, which seems to be a shellcode.\r\nThis shellcode loads another DLL file that tries to access the IconStorages GitHub page to find an .ico file\r\ncontaining the encrypted Command-and-Control (C\u0026C) server. After locating the C\u0026C server, the backdoor\r\nestablishes a connection to retrieve the potential final payload.\r\nThe figure below shows the infection flow.\r\nFigure 3 – Infection chain\r\nTechnical Analysis\r\nThe MSI package installer that has been compromised has a digital signature, and its appearance resembles that of\r\na legitimate file, as shown below.\r\nhttps://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack\r\nPage 3 of 14\n\nFigure 4 – Digitally signed MSI installer\r\nUpon installation, the MSI package installer drops files such as “3CXDesktopApp.exe”, “ffmpeg.dll”, and\r\n“d3dcompiler_47.dll” in the %LocalAppData% directory of the system.\r\n%LocalAppData%\\Programs\\3CXDesktopApp\\app\\\r\nThese files are associated with malicious behavior and are accompanied by other supporting files.\r\nThe figure below displays the directory where the “3CXDesktopApp” application has been installed.\r\nhttps://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack\r\nPage 4 of 14\n\nFigure 5 – 3CXDesktop installation folder\r\nAfter installation, the “3CXDesktopApp.exe” file is executed, which is usually benign but can be utilized to load\r\nthe malicious DLL, as shown below.\r\nFigure 6 – 3CXDesktop.exe loading ffmpeg.dll file\r\nThe figure below illustrates the process tree of the “3CXDesktopApp” application.\r\nFigure 7 – Process tree\r\nhttps://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack\r\nPage 5 of 14\n\nThe “3CXDesktopApp.exe” loads the “ffmpeg.dll” file, which is a malicious DLL that has been specifically\r\ndesigned to read, load, and execute harmful shellcode from the “d3dcompiler_47.dll” file.\r\nWhen executed, the “ffmpeg.dll” creates a new event, “AVMonitorRefreshEvent“, identifies the current file path,\r\nand searches for the next file in the sequence, which is “d3dcompiler_47.dll”. Once identified, the “ffmpeg.dll”\r\nloads the “d3dcompiler_47.dll” file into memory, as illustrated in the assembly code shown below.\r\nFigure 8 – ffmpeg.dll file is loading d3dcompiler_47.dll\r\nAlthough the loaded “d3dcompiler_47.dll” is signed by Microsoft, it has an encrypted payload embedded within it.\r\nThe “ffmpeg.dll” file now identifies the encrypted payload indicated by a particular marker, ‘0xCEFAEDFE’, as\r\nshown below.\r\nhttps://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack\r\nPage 6 of 14\n\nFigure 9 – Identifying encrypted payload in “d3dcompiler_47.dl”l\r\nOnce the encrypted payload has been identified, the “ffmpeg.dll” proceeds to decrypt the RC4 stream using the\r\nkey “3jB(2bsG#@c7“. This decryption process results in a shellcode which is then executed by the DLL file.\r\nThe figure below shows the RC4 loop and decrypted shellcode function.\r\nhttps://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack\r\nPage 7 of 14\n\nFigure 10 – RC4 loop and decrypted shellcode\r\nAfter decryption, the “ffmpeg.dll” file employs the VirtualProtect() function to alter the memory access\r\npermissions of the shellcode. Once the permissions have been changed, the malware proceeds to execute the\r\npayload.\r\nAn embedded DLL file is present within the decrypted shellcode, as shown in the below figure, which appears to\r\nbe functioning as a loader for another PE file.\r\nhttps://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack\r\nPage 8 of 14\n\nFigure 11 – Embedded DLL file inside Shellcode\r\nAfter being loaded and executed, the embedded DLL file in the shellcode initiates a sleep state of 7 days before\r\ntrying to establish communication with Command and Control (C\u0026C) servers. Subsequently, the DLL will attempt\r\nto access a GitHub repository that contains an .ICO file.\r\nFigure 12 – Hardcoded GitHub link to download the .ICO file\r\nThis ICO file comprises the encrypted C\u0026C strings, which are encoded using Base64 and encrypted with AES \u0026\r\nGCM encryption. The Base64 contents are located at the end of the ICO image file, as shown below.\r\nhttps://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack\r\nPage 9 of 14\n\nFigure 13 – Base64-encoded string at the end of ICO file\r\nUpon execution, the DLL file decrypts the C\u0026C URLs from the ICO files for downloading additional payloads\r\nfrom the remote server. To obtain distinct C\u0026C URLs, the malware randomly selects an ICO file from a GitHub\r\nrepository. Unfortunately, we were unable to verify the specific characteristics of these payloads as the\r\ncorresponding GitHub repository was taken down prior to this analysis.\r\nResearchers discovered that the final stage of malware is a stealer, which can extract system information and steal\r\nsensitive information from popular web browsers, such as Chrome, Edge, Brave, and Firefox.\r\nConclusion\r\nThe potential damage caused by the 3CXDesktopApp supply chain attack is significant, including the theft of\r\nsensitive user data. Organizations affected by this attack should immediately take steps to prevent it from causing\r\nwidespread harm. The current investigation suggests that the threat actor behind this attack is skilled and\r\npersistent.\r\nThe consequences of such an attack, such as financial loss, reputational impact, and the loss of customer trust, are\r\nsevere. It is crucial that organizations remain vigilant and take proactive measures to secure their supply chains to\r\nprevent similar attacks in the future.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:\r\nThoroughly investigate all systems to determine the scope and extent of the attack, including identifying all\r\naffected systems and data.\r\nConduct regular security audits of your supply chain to ensure that all third-party software and components\r\nare trustworthy and secure.\r\nMonitor your network regularly for any suspicious activity or behavior indicating a security breach, such as\r\nunauthorized access attempts or data exfiltration.\r\nStay up-to-date with the latest threat intelligence and security news to stay informed about emerging threats\r\nand vulnerabilities. This will help to mitigate risks proactively and respond quickly in the event of an\r\nattack.\r\nhttps://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack\r\nPage 10 of 14\n\nUsing a reputed antivirus and internet security software package is recommended on connected devices,\r\nincluding PCs, laptops, and mobile devices.\r\nBlock URLs that could be leveraged to spread malware.\r\nMITRE ATT\u0026CK® Techniques  \r\nTactic Technique ID   Technique Name  \r\nInitial Access  T1195 Supply Chain Compromise\r\nExecution T1204.002 User Execution: Malicious File\r\nDefense\r\nEvasion\r\nT1140\r\nT1027\r\nT1574.002\r\nT1497.003\r\nDeobfuscate/Decode Files or Information\r\nObfuscated Files or Information\r\nHijack Execution Flow: DLL Side-Loading\r\nVirtualization/Sandbox Evasion: Time-Based Evasion\r\nCredential\r\nAccess  \r\nT1555\r\nT1539  \r\nCredentials from Password Stores  \r\nSteal Web Session Cookie  \r\nCommand and\r\nControl\r\nT1071 Application Layer Protocol\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\nf3d4144860ca10ba60f7ef4d176cc736\r\nbea77d1e59cf18dce22ad9a2fad52948fd7a9efa\r\naa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868\r\nMD5\r\nSHA1\r\nSHA256\r\n3CX\r\nWindows\r\nInstaller\r\n0eeb1c0133eb4d571178b2d9d14ce3e9\r\nbfecb8ce89a312d2ef4afc64a63847ae11c6f69e\r\n59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983\r\nMD5\r\nSHA1\r\nSHA256\r\n3CX\r\nWindows\r\nInstaller\r\n5729fb29e3a7a90d2528e3357bd15a4b\r\n19f4036f5cd91c5fc411afc4359e32f90caddaac\r\n5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290\r\nMD5\r\nSHA1\r\nSHA256\r\n3CX\r\nmacOS\r\nInstaller\r\nFile\r\nd5101c3b86d973a848ab7ed79cd11e5a\r\n3dc840d32ce86cebf657b17cef62814646ba8e98\r\ne6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec\r\nMD5\r\nSHA1\r\nSHA256\r\n3CX\r\nmacOS\r\nInstaller\r\nFile\r\nhttps://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack\r\nPage 11 of 14\n\n82187ad3f0c6c225e2fba0c867280cc9\r\n20d554a80d759c50d6537dd7097fed84dd258b3e\r\n11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nDLL\r\n74bc2d0b6680faa1a5a76b27e5479cbc\r\nbf939c9c261d27ee7bb92325cc588624fca75429\r\n7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nDLL\r\ncad1120d91b812acafef7175f949dd1b09c6c21a SHA1  \r\nStealer\r\nPayload\r\nakamaicontainer[.]com\r\nakamaitechcloudservices[.]com\r\nazuredeploystore[.]com\r\nazureonlinecloud[.]com\r\nazureonlinestorage[.]com\r\ndunamistrd[.]com\r\nglcloudservice[.]com\r\njournalide[.]org\r\nmsedgepackageinfo[.]com\r\nmsstorageazure[.]com\r\nmsstorageboxes[.]com\r\nofficeaddons[.]com\r\nofficestoragebox[.]com\r\npbxcloudeservices[.]com\r\npbxphonenetwork[.]com\r\npbxsources[.]com\r\nqwepoi123098[.]com\r\nsbmsa[.]wiki\r\nsourceslabs[.]com\r\nvisualstudiofactory[.]com\r\nzacharryblogs[.]com\r\ngithub[.]com/IconStorages/images\r\nazureonlinestorage.com convieneonline[.]com\r\nSoyoungjun[.]com\r\nURL\r\nMalicious\r\nURL\r\n3bb80e9fbeac5383b313084775c80d11\r\n9c943baad621654cc0a0495262b6175276a0a9fb\r\n210c9882eba94198274ebc787fe8c88311af24932832a7fe1f1ca0261f815c3d\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nICO File\r\n644f63f869e2b0a9e5d1aa32823956cc\r\n96910a3dbc194a7bf9a452afe8a35eceb904b6e4\r\na541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nICO File\r\nhttps://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack\r\nPage 12 of 14\n\n8875568b90bb03ff54d63d3bd1187063\r\n0d890267ec8d6d2aaf43eaca727c1fbba6acd16e\r\nd459aa0a63140ccc647e9026bfd1fccd4c310c262a88896c57bbe3b6456bd090\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nICO File\r\n1640f48cc05c58f4cc077503a5361cea\r\nb1dee3ebcffad01a51ff31ff495fef1d40fdfaa0\r\nd51a790d187439ce030cf763237e992e9196e9aa41797a94956681b6279d1b9a\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nICO File\r\n71d5b9bfd6bf37ff5aa9752b2b6d5af1\r\n64ab912d0af35c01355430d85dd4181f25e88838\r\n4e08e4ffc699e0a1de4a5225a0b4920933fbb9cf123cde33e1674fde6d61444f\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nICO File\r\nda667174c2d145a4d9b3b39387fbd7dd\r\n8377fb40c76aa3ba3efae3d284fa51aa7748e010\r\n8c0b7d90f14c55d4f1d0f17e0242efd78fd4ed0c344ac6469611ec72defa6b2d\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nICO File\r\n69455ba3bfd2d8e3ade5081368934945\r\n11ae67704ea0b930b2cc966e6d07f8b898f1a7d2\r\nf47c883f59a4802514c57680de3f41f690871e26f250c6e890651ba71027e4d3\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nICO File\r\n848bc8e5917db1f735029fc51952002d\r\nffccc3a29d1582989430e9b6c6d2bff1e3a3bb14\r\n2c9957ea04d033d68b769f333a48e228c32bcf26bd98e51310efd48e80c1789f\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nICO File\r\naafa584176d9aec7912b4bc3476acc1a\r\n89827af650640c7042077be64dc643230d1f7482\r\n268d4e399dbbb42ee1cd64d0da72c57214ac987efbb509c46cc57ea6b214beca\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nICO File\r\n4d112603466ac9c57a669445374c1fb5\r\nb5de30a83084d6f27d902b96dd12e15c77d1f90b\r\nc62dce8a77d777774e059cf1720d77c47b97d97c3b0cf43ade5d96bf724639bd\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nICO File\r\nd232fa2eabc03123517a78936a18448b\r\n3992dbe9e0b23e0d4ca487faffeb004bcfe9ecc8\r\nc13d49ed325dec9551906bafb6de9ec947e5ff936e7e40877feb2ba4bb176396\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nICO File\r\naff5911f6c211cde147a0d6aa3a7a423\r\ncaa77bcd0a1a6629ba1f3ce8d1fc5451d83d0352\r\nf1bf4078141d7ccb4f82e3f4f1c3571ee6dd79b5335eb0e0464f877e6e6e3182\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nICO File\r\n4942dc3c0e9808544b068854cf1351e0\r\n57a9f3d5d1592a0769886493f566930d8f32a0fc\r\n2487b4e3c950d56fb15316245b3c51fbd70717838f6f82f32db2efcc4d9da6de\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nICO File\r\nhttps://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack\r\nPage 13 of 14\n\n3eb70db2f6bffbe29970f759747e07bd\r\nf533bea1c0558f73f6a3930343c16945fb75b20f\r\ne059c8c8b01d6f3af32257fc2b6fe188d5f4359c308b3684b1e0db2071c3425c\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nICO File\r\n14b79d2f81d1c0a9c3769f7bb83e443d\r\n31d775ab577f3cc88991d90e9ae58501dbe1f0da\r\nd0f1984b4fe896d0024533510ce22d71e05b20bad74d53fae158dc752a65782e\r\nMD5\r\nSHA1\r\nSHA256\r\nMalicious\r\nICO File\r\nSource: https://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack\r\nhttps://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack"
	],
	"report_names": [
		"a-comprehensive-analysis-of-the-3cx-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775438973,
	"ts_updated_at": 1775826691,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/93e0a5848584c5e9e6b5b6c3500445d87a987938.pdf",
		"text": "https://archive.orkl.eu/93e0a5848584c5e9e6b5b6c3500445d87a987938.txt",
		"img": "https://archive.orkl.eu/93e0a5848584c5e9e6b5b6c3500445d87a987938.jpg"
	}
}