{
	"id": "a855fc98-26dc-4aa7-90ba-dd05ab9d3fd7",
	"created_at": "2026-04-06T00:06:49.350318Z",
	"updated_at": "2026-04-10T03:21:08.839527Z",
	"deleted_at": null,
	"sha1_hash": "97d675bc1679e2abe353a5993e8b2ec03d99cae2",
	"title": "3CX VoIP Software Compromise \u0026 Supply Chain Threats",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9869291,
	"plain_text": "3CX VoIP Software Compromise \u0026 Supply Chain Threats\r\nBy John Hammond\r\nPublished: 2023-03-30 · Archived: 2026-04-05 22:57:41 UTC\r\nThe 3CX VoIP Desktop Application has been compromised to deliver malware via legitimate 3CX updates. Huntress has\r\nbeen investigating this incident and working to validate and assess the current supply chain threat to the security community.\r\nUPDATE #1 - 3/30/23 @ 2pm ET: Added a PowerShell script that can be used to check locations/versions of 3CX and\r\nrun against the hashes to see if they're bad to be run in an RMM.\r\nAt 11:40 AM EDT on March 29, 2023, Huntress received an inbound support request from a partner, concerned with a new\r\nadvisory and discussion on Reddit shared just 30 minutes prior. CrowdStrike was first to sound the alarm on a breaking\r\nincident: 3CX VoIP software installations were compromised, delivering malware to hosts running the 3CX desktop app. \r\nHuntress immediately added increased monitoring for malicious activity related to the 3CX application, while working to\r\nvalidate this attack vector so that we could provide as much information as possible to the community. \r\nFrom 3CX’s recently released notification, the currently known affected 3CX DesktopApp versions are 18.12.407 and\r\n18.12.416 for Windows and 18.11.1213, 18.12.402, 18.12.407 and 18.12.416 for Mac.\r\nImpact\r\nAt the time of writing, Shodan reports there are 242,519 publicly exposed 3CX phone management systems.\r\n3CX claims to have over 600,000 customers, and it goes without saying, this has the potential to be a massive supply\r\nchain attack, likened well enough to the SolarWinds incident or the Kaseya VSA ransomware attack in years past.\r\nWithin our partner base, Huntress has sent out 2,783 incident reports where the 3CXDesktopApp.exe binary matches\r\nknown malicious hashes and was signed by 3CX on March 13, 2023. We currently have a pool of ~8,000 hosts running 3CX\r\nsoftware.\r\nWhile Huntress has notified appropriate partners, we decided not to automatically isolate 3CX hosts, in the event it could\r\nresult in taking phone communication systems offline. We strongly urge you to remove the software if at all possible, as\r\n3CX has promised a non-malicious update in the near future.\r\nAnalysis \u0026 Investigation\r\nOn March 29, numerous EDR providers and antivirus solutions began to trigger and flag on the legitimate signed binary\r\n3CXDesktopApp.exe. This application had begun an update process that ultimately led to malicious behavior and\r\ncommand-and-control communication to numerous external servers. \r\nUnfortunately in the early timeline of the community's investigation, there was confusion on whether or not this was a\r\nlegitimate antivirus alert.\r\nhttps://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\r\nPage 1 of 12\n\nThe 3CX download available on the official public website had included malware. Installations already deployed will\r\nupdate, and ultimately pull down this malware that includes a backdoored DLL file, ffmpeg.dll and an anomalous\r\nd3dcompiler_47.dll. \r\nFor an overall visual of the attack chain, take a quick look at this primitive graph. \r\nMassive kudos to our security researcher and resident binary ninja Matthew Brennan for this deep-dive! \r\nhttps://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\r\nPage 2 of 12\n\nThis backdoored ffmpeg.dll primarily acts as loader for the d3dcompiler_47.dll file.\r\nRight from the DLL entrypoint, it eventually enters a new function (that we have renamed mw_main_function for our\r\nreverse engineering purposes) --\r\nThat creates a new event AVMonitorRefreshEvent, resolves the current file path, and looks for the subsequent\r\nd3dcompiler_47.dll file to load into memory.\r\nhttps://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\r\nPage 3 of 12\n\nFrom our analysis, we see d3dcompiler_47.dll is signed by Microsoft, but contains an embedded secondary encrypted\r\npayload. This payload is denoted by a specific byte marker, FE ED FA CE, as others have also observed.\r\nAfter retrieving d3dcompiler_47.dll, the ffmpeg.dll binary locates and unravels this secondary payload by decrypting an\r\nRC4 stream with the key 3jB(2bsG#@c7. According to other threat intelligence, this static key is known to be attributed to\r\nDPRK threat actors.\r\nhttps://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\r\nPage 4 of 12\n\nFollowing calls to VirtualProtect to prepare this payload, we could extract the decrypted shellcode for further examination.\r\nDigging further within GHIDRA, x64dbg and other analysis tools, we discovered there is yet another DLL file embedded\r\nwithin the shellcode. It appears this shellcode is just another PE loader.\r\nOne very important note regarding this shellcode-embedded PE file: it would sleep for 7 days and wait to call out to\r\nexternal C2 servers. The 7-day delay is peculiar, as you may not have seen further indicators immediately... and it may\r\nexplain why some users have not yet seen malicious activity. (Perhaps an interesting observation considering these new\r\nmalicious 3CX updates were first seen on March 22, and the industry caught wind of this malicious activity on March 29)\r\nhttps://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\r\nPage 5 of 12\n\nThis final PE file ultimately reaches out to a Github repository and raw file contents:\r\nhttps://raw[.]githubusercontent[.]com/IconStorages/images/main/icon%d.ico\r\nThis Github repository, https[:]//github[.]com/IconStorages/images, stored 16 separate .ICO icon files.\r\nEach one was in fact a valid icon file, however, at the very end of each file was a Base64 encoded string.\r\nhttps://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\r\nPage 6 of 12\n\nAttempting to decode these Base64 strings, they were -- as we might expect -- seemingly more encrypted data. \r\nIn between the internet HTTP requests to Github, we observed decryption routines. These helped clue in how we could\r\ndecrypt what looked to be AES encrypted data -- ultimately unraveling to these plaintext strings and URLs referenced at the\r\nend of each .ICO file:\r\nhttps[:]//www[.]3cx[.]com/blog/event-trainings/https[:]//akamaitechcloudservices[.]com/v2/storagehttps[:]//akamaitechcloudservices[.]com/v2/storagehttps[:]//azureonlinestorage[.]com\r\nedgehttps[:]//glcloudservice[.]com/v1/consolehttps[:]//pbxsources[.]com/exchangehttps[:]//msstorageazure[.]com/windowhttps[:]//officestoragebox\r\nThese URLs match the same handful of domain IOCs shared by others. The final payload would randomly choose which\r\nicon number, and ultimately decrypted URL, to be selected as the external C2 server.\r\nInterestingly enough, the very first .ICO file, icon0.ico had pointed to https[:]//www[.]3cx[.]com/blog/event-trainings/ ...\r\nhowever trawling through the past commits of the IconStorage Github repository, it originally referenced\r\nhttps[:]//msedgeupdate[.]net/Windows\r\nThe https[:]//github[.]com/IconStorages/images repository hosting these C2 server endpoints has been taken offline.\r\nWhile this may hinder the execution of hosts updating to the current malicious version of 3CX, the real impact is unknown\r\nat this time. It is not yet clear whether or not adversaries still have access to the 3CX supply chain in order to poison future\r\nupdates - perhaps this may change the tradecraft we see in the coming days.\r\nRight now I see the github[.]com/IconStorages/images repository included in the 3CX supply chain attack has now been\r\ntaken down.\r\nI reported the user to Github earlier today. pic.twitter.com/ltWen5TnLo\r\nhttps://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\r\nPage 7 of 12\n\nWe have not yet seen any sample network data communicating with these C2 URLs for us to analyze.\r\nDetection Efforts\r\nUPDATE 3/30/23 @ 2pm ET: Our team has created a PowerShell script that can be used to check locations/versions\r\nof 3CX to run against the hashes and see if they're bad to be run in an RMM. \r\nWindows Defender is currently detecting this attack chain with the threat name Trojan:Win64/SamScissors.\r\nhttps://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\r\nPage 8 of 12\n\nFor detection efforts, Huntress has observed -- at least for the malicious initial outreach to Github-related IP address -- a\r\nparticular process tree and process command line:\r\nhttps://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\r\nPage 9 of 12\n\nThe parent lineage has been: \r\nexplorer.exe \\_3CXDesktopApp.exe \\_ 3CXDesktopApp.exe\r\n… with the parent 3CXDesktopApp.exe having one of the known malicious hashes, and the corresponding child\r\n3CXDesktopApp.exe invoked with a command line of:\r\n[DRIVE]:\\Users\\Username\\Local\\Programs\\3CXDesktopApp.exe\\3CXDesktopApp.exe autoLaunch\r\nTo note, we have observed processes with this lineage and command line that have not reached out to a Github related\r\ndomain... but the distinguishing factor appears to be the process lineage criteria paired with the malicious hashes for the\r\nparent 3CXDesktopApp.exe.\r\nThese known SHA256 hashes offer quality indicators:\r\na60a61bf844bc181d4540c9fac53203250a982e7c3ad6153869f01e19cc36203 (18.12.416)\r\n5d99efa36f34aa6b43cd81e77544961c5c8d692c96059fef92c2df2624550734 (18.12.416)\r\n54004dfaa48ca5fa91e3304fb99559a2395301c570026450882d6aad89132a02 (18.12.407)\r\nd45674f941be3cca2fbc1af42778043cc18cd86d95a2ecb9e6f0e212ed4c74ae (18.12.407)\r\nAdditionally, Huntress researcher Matthew Brennan has crafted a YARA rule to help detect these malicious files.\r\nYou can find this YARA rule included within this Github gist:\r\nAttribution\r\nWhile definitive attribution is not yet clear, the current consensus across the security community is that this attack was\r\nperformed by a DPRK nation-state threat actor.\r\nhttps://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\r\nPage 10 of 12\n\n3CX Official Messaging\r\nThe latest recommendations from the 3CX CEO and CISO are to uninstall the desktop client for 3CX. They report they\r\nare preparing a new release and update to the 3CXDesktopApp to be made available soon.\r\nHuntress Assistance\r\nFully aware of the severity of this incident, we realize our efforts are just one pebble in the pond. With that said, our goal is\r\nalways to keep our partners safe and do as much as we can to help the broader small and mid-size business (SMB)\r\ncommunity prevent this from escalating further.\r\nIf you are using 3CX and aren’t already working with our team, Huntress is offering a free, 30-day trial of our Managed\r\nEDR services through the month of April. For more information, check out the details here: https://www.huntress.com/3cx-response.\r\nResources and References\r\nThe latest from 3CX\r\nhttps://www.3cx.com/blog/news/desktopapp-security-alert-updates/\r\nCrowdStrike’s original Reddit reporting\r\nhttps://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/\r\nCrowdStrike’s formal blog post\r\nhttps://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/\r\nTodyl’s reporting\r\nhttps://www.todyl.com/blog/post/threat-advisory-3cx-softphone-telephony-campaign\r\nSentinelOne’s reporting\r\nhttps://s1.ai/smoothoperator\r\nDiscussion on the 3CX forum and public bulletin board\r\nhttps://www.3cx.com/community/threads/threat-alerts-from-sentinelone-for-desktop-update-initiated-from-desktop-client.119806/post-558710\r\nhttps://www.3cx.com/community/threads/3cx-desktop-app-vulnerability-security-group-contact.119930/\r\nhttps://www.3cx.com/community/threads/crowdstrike-endpoint-security-detection-re-3cx-desktop-app.119934/#post-558726\r\n3CX CEO first official notification\r\nhttps://www.3cx.com/community/threads/3cx-desktopapp-security-alert.119951/#post-558907\r\nNextron System’s Sigma and YARA rules for detection\r\nhttps://github.com/Neo23x0/signature-base/blob/master/yara/gen_mal_3cx_compromise_mar23.yar\r\nUnofficial OTX AlientVault Pulse\r\nhttps://otx.alienvault.com/pulse/64249206b02aa3531a78d020\r\nKevin Beaumont’s commentary\r\nhttps://cyberplace.social/@GossiTheDog/110108640236492867\r\nPatrick Wardle’s commentary on the Mac variant\r\nhttps://twitter.com/patrickwardle/status/1641294247877021696\r\nhttps://objective-see.org/blog/blog_0x73.html\r\nVolexity's timeline, including what each of the icon files were and some of the network indicators\r\nhttps://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/ \r\nIndicators of Attack (IOAs)\r\nDomains:\r\nakamaicontainer[.]comakamaitechcloudservices[.]comazuredeploystore[.]comazureonlinecloud[.]comazureonlinestorage[.]comdunamistrd[.]com\r\n3CXDesktopApp.exe SHA256 hashes\r\na60a61bf844bc181d4540c9fac53203250a982e7c3ad6153869f01e19cc36203\r\n(18.12.416)5d99efa36f34aa6b43cd81e77544961c5c8d692c96059fef92c2df2624550734\r\n(18.12.416)54004dfaa48ca5fa91e3304fb99559a2395301c570026450882d6aad89132a02\r\n(18.12.407)d45674f941be3cca2fbc1af42778043cc18cd86d95a2ecb9e6f0e212ed4c74ae (18.12.407)\r\n3CXDesktopApp MSI Installer SHA256 hashes\r\naa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d86859e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c09\r\n3CXDesktopApp macOS SHA256 hashes\r\nhttps://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\r\nPage 11 of 12\n\n92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481ea\r\na64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67\r\n3CXDesktopApp macOS DMG Installer hashes\r\n5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0db\r\nSource: https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\r\nhttps://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats\r\nPage 12 of 12\n\nexternal C2 servers. explain why some The 7-day delay users have not yet is peculiar, as you seen malicious activity. may not have seen (Perhaps an interesting further indicators immediately... observation considering and it these may new\nmalicious 3CX updates were first seen on March 22, and the industry caught wind of this malicious activity on March 29)\n   Page 5 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats"
	],
	"report_names": [
		"3cx-voip-software-compromise-supply-chain-threats"
	],
	"threat_actors": [],
	"ts_created_at": 1775434009,
	"ts_updated_at": 1775791268,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/97d675bc1679e2abe353a5993e8b2ec03d99cae2.pdf",
		"text": "https://archive.orkl.eu/97d675bc1679e2abe353a5993e8b2ec03d99cae2.txt",
		"img": "https://archive.orkl.eu/97d675bc1679e2abe353a5993e8b2ec03d99cae2.jpg"
	}
}