{ "id": "1a33d25e-9c20-456e-a2eb-c93734268ae9", "created_at": "2026-04-06T00:17:06.192668Z", "updated_at": "2026-04-10T13:11:49.687691Z", "deleted_at": null, "sha1_hash": "98ab50f7bea77812998f357f90b6f2f396ca4cef", "title": "3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 832170, "plain_text": "3CX Software Supply Chain Compromise Initiated by a Prior\r\nSoftware Supply Chain Compromise; Suspected North Korean\r\nActor Responsible | Mandiant\r\nBy Mandiant\r\nPublished: 2023-04-20 · Archived: 2026-04-05 12:54:18 UTC\r\nWritten by: Jeff Johnson, Fred Plan, Adrian Sanchez, Renato Fontana, Jake Nicastro, Dimiter Andonov, Marius\r\nFodoreanu, Daniel Scott\r\nIn March 2023, Mandiant Consulting responded to a supply chain compromise that affected 3CX Desktop App\r\nsoftware. During this response, Mandiant identified that the initial compromise vector of 3CX’s network was via\r\nmalicious software downloaded from Trading Technologies website. This is the first time Mandiant has seen a\r\nsoftware supply chain attack lead to another software supply chain attack.\r\nOverview\r\n3CX Desktop App is enterprise software that provides communications for its users including chat, video calls,\r\nand voice calls. In late March, 2023, a software supply chain compromise spread malware via a trojanized version\r\nof 3CX’s legitimate software that was available to download from their website. The affected software was 3CX\r\nDesktopApp 18.12.416 and earlier, which contained malicious code that ran a downloader, SUDDENICON,\r\nwhich in turn received additional command and control (C2) servers from encrypted icon files hosted on GitHub.\r\nThe decrypted C2 server was used to download a third stage identified as ICONICSTEALER, a dataminer that\r\nsteals browser information. Mandiant tracks this activity as UNC4736, a suspected North Korean nexus cluster of\r\nactivity.\r\nhttps://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise\r\nPage 1 of 16\n\nFigure 1: 3CX software supply chain compromise linked to Trading Technologies software supply chain\r\ncompromise\r\nSoftware Supply Chain Exploitation Explained\r\nMandiant Consulting’s investigation of the 3CX supply chain compromise has uncovered the initial intrusion\r\nvector: a malware-laced software package distributed via an earlier software supply chain compromise that began\r\nwith a tampered installer for X_TRADER, a software package provided by Trading Technologies (Figure 1).\r\nMandiant determined that a complex loading process led to the deployment of VEILEDSIGNAL, a multi-stage\r\nmodular backdoor, and its modules.\r\nVEILEDSIGNAL Backdoor Analysis\r\nMandiant Consulting identified an installer with the filename X_TRADER_r7.17.90p608.exe (MD5:\r\nef4ab22e565684424b4142b1294f1f4d) which led to the deployment of a malicious modular backdoor:\r\nVEILEDSIGNAL.\r\nAlthough the X_TRADER platform was reportedly discontinued in 2020, it was still available for download from\r\nthe legitimate Trading Technologies website in 2022. This file was signed with the subject “Trading Technologies\r\nInternational, Inc” and contained the executable file Setup.exe that was also signed with the same digital\r\nhttps://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise\r\nPage 2 of 16\n\ncertificate. The code signing certificate used to digitally sign the malicious software was set to expire in October\r\n2022.\r\nThe installer contains and executes Setup.exe which drops two trojanized DLLs and a benign executable.\r\nSetup.exe uses the benign executable to side-load one of the malicious DLLs. Side-loading relies on legitimate\r\nWindows executables to load and execute a malicious file that has been disguised as a legitimate dependency. The\r\nloaded malicious DLLs contains and uses SIGFLIP and DAVESHELL to decrypt and load the payload into\r\nmemory from the other dropped malicious executable. SIGFLIP relies on RC4 stream-cipher to decrypt the\r\npayload of choice and uses the byte sequence FEEDFACE to find the shellcode, in this case DAVESHELL, during\r\nthe decryption stage.\r\nSIGFLIP and DAVESHELL extract and execute a modular backdoor, VEILEDSIGNAL, and two corresponding\r\nmodules. VEILEDSIGNAL relies on the two extracted modules for process injection and communications with\r\nthe C2 server.\r\nVEILEDSIGNAL and the accompanying two components provide the following functionality:\r\nThe VEILEDSIGNAL backdoor supports three commands: send implant data, execute shellcode, and\r\nterminate itself.\r\nThe process injection module injects the C2 module in the first found process instance of Chrome, Firefox,\r\nor Edge. It also monitors the named pipe and reinjects the communication module if necessary.\r\nThe C2 module creates a Windows named pipe and listens for incoming communications, which it then\r\nsends to the C2 server encrypted with AES-256 in Galois Counter Mode (GCM).\r\nThe C2 configuration of the identified sample of VEILEDSIGNAL (MD5: c6441c961dcad0fe127514a918eaabd4)\r\nrelied on the following hard-coded URL: www.tradingtechnologies[.]com/trading/order-management .\r\nVEILEDSIGNAL Similarities and Code Comparison\r\nThe compromised X_TRADER and 3CXDesktopApp applications both contain, extract, and run a payload in the\r\nsame way, although the final payload is different. Mandiant analyzed these samples and observed the following\r\nsimilarities:\r\nUsage of the same RC4 key 3jB(2bsG#@c7 in the SIGFLIP tool configuration to encrypt and decrypt the\r\npayload.\r\nUsage of SIGFLIP, a publicly available project on GitHub leveraging CVE-2013-3900 (MS13-098).\r\nReliance on DAVESHELL, a publicly available open-source project that converts PE-COFF files to\r\nposition-independent code or shellcode and that leverages reflective loading techniques to load the payload\r\nin memory.\r\nUse of the hardcoded cookie variable __tutma in the payloads.\r\nBoth payloads encrypt data with AES-256 GCM cipher.\r\nCompromise of the 3CX Build Environment\r\nhttps://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise\r\nPage 3 of 16\n\nThe attacker used a compiled version of the publicly available Fast Reverse Proxy project, to move laterally\r\nwithin the 3CX organization during the attack. The file MsMpEng.exe (MD5:\r\n19dbffec4e359a198daf4ffca1ab9165), was dropped in C:\\Windows\\System32 by the threat actor.\r\nMandiant was able to reconstruct the attacker’s steps throughout the environment as they harvested credentials\r\nand moved laterally. Eventually, the attacker was able to compromise both the Windows and macOS build\r\nenvironments. On the Windows build environment, the attacker deployed a TAXHAUL launcher and COLDCAT\r\ndownloader that persisted by performing DLL search order hijacking through the IKEEXT service and ran with\r\nLocalSystem privileges. The macOS build server was compromised with POOLRAT backdoor using Launch\r\nDaemons as a persistence mechanism.\r\nPrevious reporting mentioned the macOS build server was compromised with SIMPLESEA. Mandiant\r\nIntelligence completed analysis of the sample and determined it to be the backdoor POOLRAT instead of a new\r\nmalware family.\r\nThreat Actor Spotlight: UNC4736\r\nUNC4736 demonstrates varying degrees of overlap with multiple North Korean operators tracked by Mandiant\r\nIntelligence, especially with those involved in financially-motivated cybercrime operations. These clusters have\r\ndemonstrated a sustained focus on cryptocurrency and fintech-related services over time.\r\nMandiant assesses with moderate confidence that UNC4736 is related to financially motivated North Korean\r\n“AppleJeus” activity as reported by CISA. This is further corroborated with findings from Google TAG who\r\nreported the compromise of www.tradingtechnologies[.]com in February 2022, preceding the distribution of\r\ncompromised X_TRADER updates from the site.\r\nTAG reported on a cluster of North Korean activity exploiting a remote code execution vulnerability in\r\nChrome, CVE-2022-0609, and identified it as overlapping with “AppleJeus” targeting cryptocurrency\r\nservices.\r\nThe site www.tradingtechnologies[.]com was compromised and hosting a hidden IFRAME to exploit\r\nvisitors, just two months before the site was known to deliver a trojanized X_TRADER software package.\r\nWithin the 3CX environment, Mandiant identified the POOLRAT backdoor using journalide[.]org as\r\nits configured C2 server.\r\nAn older sample of POOLRAT (MD5: 451c23709ecd5a8461ad060f6346930c) was previously reported by\r\nCISA as part of the trojanized CoinGoTrade application used in the AppleJeus operation (Figure 2).\r\nThe older sample’s infrastructure also has ties to another trojanized trading application, JMT\r\nTrading, also tracked under AppleJeus.\r\nhttps://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise\r\nPage 4 of 16\n\nFigure 2: POOLRAT Link to CoinGoTrade and JMT Trading Activity\r\nWeak infrastructure overlap was also identified between UNC4736 and two clusters of suspected APT43 activity,\r\nUNC3782 and UNC4469.\r\nDNS resolutions reveal infrastructure overlap between UNC4736 and activity linked to APT43 with\r\nmoderate confidence (Tables 1 – 3)\r\nAPT43 frequently targets cryptocurrency users and related services, highlighting such campaigns are\r\nwidespread across North Korea-nexus cyber operators.\r\nDate Domain UNC\r\n2022-12-20 curvefinances[.]com UNC4469\r\n2022-12-29 pbxphonenetwork[.]com UNC4736\r\nTable 1: Resolutions for IP 89.45.67.160\r\nhttps://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise\r\nPage 5 of 16\n\nDate Domain UNC\r\n2022-04-08 journalide[.]org UNC4736\r\n2021-11-26 nxmnv[.]site UNC3782\r\nTable 2: Resolutions for IP 172.93.201.88\r\nDate Domain UNC\r\n2023-01-09 msedgepackageinfo[.]com UNC4736\r\n2023-03-22 apollo-crypto.org.shilaerc20[.]com UNC4469\r\nTable 3: Resolutions for IP 185.38.151[.]11\r\nOutlook and Implications\r\nThe identified software supply chain compromise is the first we are aware of which has led to a cascading\r\nsoftware supply chain compromise. It shows the potential reach of this type of compromise, particularly when a\r\nthreat actor can chain intrusions as demonstrated in this investigation. Research on UNC4736 activity suggests\r\nthat it is most likely linked to financially motivated North Korean threat actors. Cascading software supply chain\r\ncompromises demonstrate that North Korean operators can exploit network access in creative ways to develop and\r\ndistribute malware, and move between target networks while conducting operations aligned with North Korea’s\r\ninterests.\r\nMalware Definitions\r\nICONICSTEALER\r\nICONICSTEALER is a C/C++ data miner that collects application configuration data as well as browser history.\r\nDAVESHELL\r\nDAVESHELL is shellcode that functions as an in-memory dropper. Its embedded payload is mapped into memory\r\nand executed.\r\nSIGFLIP\r\nSigFlip is a tool for patching authenticode signed PE-COFF files to inject arbitrary code without affecting or\r\nbreaking the file's signature.\r\nPOOLRAT\r\nPOOLRAT is a C/C++ macOS backdoor capable of collecting basic system information and executing commands.\r\nThe commands performed include running arbitrary commands, secure deleting files, reading and writing files,\r\nupdating the configuration.\r\nhttps://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise\r\nPage 6 of 16\n\nTAXHAUL\r\nTAXHAUL is a DLL that, when executed, decrypts a shellcode payload expected\r\nat  C:\\Windows\\System32\\config\\TxR\\\u003cmachine hardware profile GUID\u003e.TxR.0.regtrans-ms . Mandiant has seen\r\nTAXHAUL persist via DLL search order hijacking.\r\nCOLDCAT\r\nCOLDCAT is a complex downloader. COLDCAT generates unique host identifier information, and beacons it to a\r\nC2 that is specified in a separate file via POST request with the data in the cookie header. After a brief handshake,\r\nthe malware expects base64 encoded shellcode to execute in response.\r\nVEILEDSIGNAL\r\nVEILEDSIGNAL is a backdoor written in C that is able to execute shellcode and terminate itself. Additionally,\r\nVEILEDSIGNAL relies on additional modules that connect via Windows named pipes to interact with the C2\r\ninfrastructure.\r\nAcknowledgments\r\nSpecial thanks to Michael Bailey, Willi Ballenthin, Michael Barnhart, and Jakub Jozwiak for their collaboration\r\nand review. Mandiant would also like to thank the Google Threat Analysis Group (TAG) and Microsoft Threat\r\nIntelligence Center (MSTIC) for their collaboration in this research.\r\nTechnical Annex: MITRE ATT\u0026CK\r\nResource Development\r\nT1588 Obtain Capabilities\r\nT1588.004 Digital Certificates\r\nT1608 Stage Capabilities\r\nT1608.003 Install Digital Certificate\r\nInitial Access\r\nT1190 Exploit Public-Facing Application\r\nT1195 Supply Chain Compromise\r\nT1195.002 Compromise Software Supply Chain\r\nPersistence\r\nT1574 Hijack Execution Flow\r\nT1574.002 DLL Side-Loading\r\nPrivilege Escalation\r\nT1055 Process Injection\r\nhttps://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise\r\nPage 7 of 16\n\nT1574 Hijack Execution Flow\r\nT1574.002 DLL Side-Loading\r\nDefense Evasion\r\nT1027 Obfuscated Files or Information\r\nT1036 Masquerading\r\nT1036.001 Invalid Code Signature\r\nT1055 Process Injection\r\nT1070 Indicator Removal\r\nT1070.001 Clear Windows Event Logs\r\nT1070.004 File Deletion\r\nT1112 Modify Registry\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1497 Virtualization/Sandbox Evasion\r\nT1497.001 System Checks\r\nT1574 Hijack Execution Flow\r\nT1574.002 DLL Side-Loading\r\nT1620 Reflective Code Loading\r\nT1622 Debugger Evasion\r\nDiscovery\r\nT1012 Query Registry\r\nT1082 System Information Discovery\r\nT1083 File and Directory Discovery\r\nT1497 Virtualization/Sandbox Evasion\r\nT1497.001 System Checks\r\nT1614 System Location Discovery\r\nT1614.001 System Language Discovery\r\nT1622 Debugger Evasion\r\nCommand and Control\r\nT1071 Application Layer Protocol\r\nT1071.001 Web Protocols\r\nT1071.004 DNS\r\nT1105 Ingress Tool Transfer\r\nT1573 Encrypted Channel\r\nT1573.002 Asymmetric Cryptography\r\nImpact\r\nT1565 Data Manipulation\r\nT1565.001 Stored Data Manipulation\r\nhttps://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise\r\nPage 8 of 16\n\nTechnical Annex: Detection Rules\r\nYARA Rules\r\nrule M_Hunting_3CXDesktopApp_Key {\r\n meta:\r\n disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n description = \"Detects a key found in a malicious 3CXDesktopApp file\"\r\n md5 = \"74bc2d0b6680faa1a5a76b27e5479cbc\"\r\n date = \"2023/03/29\"\r\n version = \"1\"\r\n strings:\r\n $key = \"3jB(2bsG#@c7\" wide ascii\r\n condition:\r\n $key\r\n}\r\nrule M_Hunting_3CXDesktopApp_Export {\r\n meta:\r\n disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n description = \"Detects an export used in 3CXDesktopApp malware\"\r\n md5 = \"7faea2b01796b80d180399040bb69835\"\r\n date = \"2023/03/31\"\r\n version = \"1\"\r\n strings:\r\n $str1 = \"DllGetClassObject\" wide ascii\r\n $str2 = \"3CXDesktopApp\" wide ascii\r\n condition:\r\n all of ($str*)\r\n}\r\nrule TAXHAUL\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n created = \"04/03/2023\"\r\n modified = \"04/03/2023\"\r\n version = \"1.0\"\r\n strings:\r\n $p00_0 = {410f45fe4c8d3d[4]eb??4533f64c8d3d[4]eb??4533f64c8d3d[4]eb}\r\n $p00_1 = {4d3926488b01400f94c6ff90[4]41b9[4]eb??8bde4885c074}\r\n condition:\r\n uint16(0) == 0x5A4D and any of them\r\n}\r\nhttps://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise\r\nPage 9 of 16\n\nrule M_Hunting_MSI_Installer_3CX_1\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\nmd5 = \"0eeb1c0133eb4d571178b2d9d14ce3e9, f3d4144860ca10ba60f7ef4d176cc736\"\r\nstrings:\r\n$ss1 = { 20 00 5F 64 33 64 63 6F 6D 70 69 6C 65 72 5F 34 37 2E 64 6C 6C 5F }\r\n$ss2 = { 20 00 5F 33 43 58 44 65 73 6B 74 6F 70 41 70 70 2E }\r\n$ss3 = { 20 00 5F 66 66 6D 70 65 67 2E 64 6C 6C 5F }\r\n$ss4 = \"3CX Ltd1\" ascii\r\n$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }\r\n$sc2 = \"202303\" ascii\r\ncondition:\r\n(uint32(0) == 0xE011CFD0) and filesize \u003e 90MB and filesize \u003c 105MB and all of them\r\n}\r\nrule M_Hunting_TAXHAUL_Hash_1\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\ndescription = \"Rule looks for hardcoded value used in string hashing algorithm observed in instances of TAXHAUL.\r\nmd5 = \"e424f4e52d21c3da1b08394b42bc0829\"\r\nstrings:\r\n$c_x64 = { 25 A3 87 DE [4-20] 25 A3 87 DE [4-20] 25 A3 87 DE }\r\ncondition:\r\nfilesize \u003c 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and any of them\r\n}\r\nrule M_Hunting_SigFlip_SigLoader_Native\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\ndescription = \"Rule looks for strings present in SigLoader (Native)\"\r\nmd5 = \"a3ccc48db9eabfed7245ad6e3a5b203f\"\r\nstrings:\r\n$s1 = \"[*]: Basic Loader...\" ascii wide\r\n$s2 = \"[!]: Missing PE path or Encryption Key...\" ascii wide\r\n$s3 = \"[!]: Usage: %s \u003cPE_PATH\u003e \u003cEncryption_Key\u003e\" ascii wide\r\n$s4 = \"[*]: Loading/Parsing PE File '%s'\" ascii wide\r\n$s5 = \"[!]: Could not read file %s\" ascii wide\r\n$s6 = \"[!]: '%s' is not a valid PE file\" ascii wide\r\n$s7 = \"[+]: Certificate Table RVA %x\" ascii wide\r\n$s8 = \"[+]: Certificate Table Size %d\" ascii wide\r\nhttps://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise\r\nPage 10 of 16\n\n$s9 = \"[*]: Tag Found 0x%x%x%x%x\" ascii wide\r\n$s10 = \"[!]: Could not locate data/shellcode\" ascii wide\r\n$s11 = \"[+]: Encrypted/Decrypted Data Size %d\" ascii wide\r\ncondition:\r\nfilesize \u003c 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and 4 of ($s*)\r\n}\r\nrule M_Hunting_Raw64_DAVESHELL_Bootstrap\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\ndescription = \"Rule looks for bootstrap shellcode (64 bit) present in DAVESHELL\"\r\nmd5 = \"8a34adda5b981498234be921f86dfb27\"\r\nstrings:\r\n$b6ba50888f08e4f39b43ef67da27521dcfc61f1e = { E8 00 00 00 00 59 49 89 C8 48 81 C1 ?? ?? ?? ?? BA ?? ?? ?? ?? 49\r\n$e32abbe82e1f957fb058c3770375da3bf71a8cab = { E8 00 00 00 00 59 49 89 C8 BA ?? ?? ?? ?? 49 81 C0 ?? ?? ?? ?? 41\r\ncondition:\r\nfilesize \u003c 15MB and any of them\r\n}\r\nrule M_Hunting_MSI_Installer_3CX_1\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\ndescription = \"This rule looks for hardcoded values within the MSI installer observed in strings and signing cer\r\nmd5 = \"0eeb1c0133eb4d571178b2d9d14ce3e9\"\r\nstrings:\r\n$ss1 = { 20 00 5F 64 33 64 63 6F 6D 70 69 6C 65 72 5F 34 37 2E 64 6C 6C 5F }\r\n$ss2 = { 20 00 5F 33 43 58 44 65 73 6B 74 6F 70 41 70 70 2E }\r\n$ss3 = { 20 00 5F 66 66 6D 70 65 67 2E 64 6C 6C 5F }\r\n$ss4 = \"3CX Ltd1\" ascii\r\n$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }\r\n$sc2 = \"202303\" ascii\r\ncondition:\r\n(uint32(0) == 0xE011CFD0) and filesize \u003e 90MB and filesize \u003c 100MB and all of them\r\n}\r\nrule M_Hunting_VEILEDSIGNAL_1\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\nmd5 = \"404b09def6054a281b41d309d809a428, c6441c961dcad0fe127514a918eaabd4\"\r\nhttps://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise\r\nPage 11 of 16\n\nstrings:\r\n$rh1 = { 68 5D 7A D2 2C 3C 14 81 2C 3C 14 81 2C 3C 14 81 77 54 10 80 26 3C 14 81 77 54 17 80 29 3C 14 81 77 54 1\r\n$rh2 = { 00 E5 A0 2B 44 84 CE 78 44 84 CE 78 44 84 CE 78 1F EC CA 79 49 84 CE 78 1F EC CD 79 41 84 CE 78 1F EC C\r\n$rh3 = { DA D2 21 22 9E B3 4F 71 9E B3 4F 71 9E B3 4F 71 C5 DB 4C 70 94 B3 4F 71 C5 DB 4A 70 15 B3 4F 71 C5 DB 4\r\n$rh4 = { CB 8A 35 66 8F EB 5B 35 8F EB 5B 35 8F EB 5B 35 D4 83 5F 34 85 EB 5B 35 D4 83 58 34 8A EB 5B 35 D4 83 5\r\ncondition:\r\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 1 of ($rh*)\r\n}\r\nrule M_Hunting_VEILEDSIGNAL_2\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\nmd5 = \"404b09def6054a281b41d309d809a428\"\r\nstrings:\r\n$sb1 = { C1 E0 05 4D 8? [2] 33 D0 45 69 C0 7D 50 BF 12 8B C2 41 FF C2 C1 E8 07 33 D0 8B C2 C1 E0 16 41 81 C0 87\r\n$si1 = \"CryptBinaryToStringA\" fullword\r\n$si2 = \"BCryptGenerateSymmetricKey\" fullword\r\n$si3 = \"CreateThread\" fullword\r\n$ss1 = \"ChainingModeGCM\" wide\r\n$ss2 = \"__tutma\" fullword\r\ncondition:\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all\r\n}\r\nrule M_Hunting_VEILEDSIGNAL_3\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\nmd5 = \"c6441c961dcad0fe127514a918eaabd4\"\r\nstrings:\r\n$ss1 = { 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6A 73 6F 6E 2C 20 74 65 78 74 2F 6A 61 76 61 73 63 72 69 70 74 2C 2\r\n$si1 = \"HttpSendRequestW\" fullword\r\n$si2 = \"CreateNamedPipeW\" fullword\r\n$si3 = \"CreateThread\" fullword\r\n$se1 = \"DllGetClassObject\" fullword\r\ncondition:\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all\r\n}\r\nrule M_Hunting_VEILEDSIGNAL_4\r\n{\r\nmeta:\r\nhttps://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise\r\nPage 12 of 16\n\nauthor = \"Mandiant\"\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\nmd5 = \"404b09def6054a281b41d309d809a428, c6441c961dcad0fe127514a918eaabd4\"\r\nstrings:\r\n$sb1 = { FF 15 FC 76 01 00 8B F0 85 C0 74 ?? 8D 50 01 [6-16] FF 15 [4] 48 8B D8 48 85 C0 74 ?? 89 ?? 24 28 44 8B\r\n$sb2 = { 33 D2 33 C9 FF 15 [4] 4C 8B CB 4C 89 74 24 28 4C 8D 05 [2] FF FF 44 89 74 24 20 33 D2 33 C9 FF 15 }\r\n$si1 = \"CreateThread\" fullword\r\n$si2 = \"MultiByteToWideChar\" fullword\r\n$si3 = \"LocalAlloc\" fullword\r\n$se1 = \"DllGetClassObject\" fullword\r\ncondition:\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all\r\n}\r\nrule M_Hunting_VEILEDSIGNAL_5\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\nmd5 = \"6727284586ecf528240be21bb6e97f88\"\r\nstrings:\r\n$sb1 = { 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15\r\n$ss1 = \"chrome.exe\" wide fullword\r\n$ss2 = \"firefox.exe\" wide fullword\r\n$ss3 = \"msedge.exe\" wide fullword\r\n$ss4 = \"\\\\\\\\.\\\\pipe\\\\*\" ascii fullword\r\n$ss5 = \"FindFirstFileA\" ascii fullword\r\n$ss6 = \"Process32FirstW\" ascii fullword\r\n$ss7 = \"RtlAdjustPrivilege\" ascii fullword\r\n$ss8 = \"GetCurrentProcess\" ascii fullword\r\n$ss9 = \"NtWaitForSingleObject\" ascii fullword\r\ncondition:\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all\r\n}\r\nrule M_Hunting_VEILEDSIGNAL_6\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\nmd5 = \"00a43d64f9b5187a1e1f922b99b09b77\"\r\nstrings:\r\n$ss1 = \"C:\\\\Programdata\\\\\" wide\r\n$ss2 = \"devobj.dll\" wide fullword\r\n$ss3 = \"msvcr100.dll\" wide fullword\r\nhttps://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise\r\nPage 13 of 16\n\n$ss4 = \"TpmVscMgrSvr.exe\" wide fullword\r\n$ss5 = \"\\\\Microsoft\\\\Windows\\\\TPM\" wide fullword\r\n$ss6 = \"CreateFileW\" ascii fullword\r\ncondition:\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all\r\n}\r\nrule MTI_Hunting_POOLRAT {\r\n meta:\r\n author = \"Mandiant\"\r\n disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n description = \"Detects strings found in POOLRAT. \"\r\n md5 = \"451c23709ecd5a8461ad060f6346930c\"\r\n date = \"10/28/2020\"\r\n version = \"1\"\r\n strings:\r\n $str1 = \"name=\\\"uid\\\"%s%s%u%s\" wide ascii\r\n $str2 = \"name=\\\"session\\\"%s%s%u%s\" wide ascii\r\n $str3 = \"name=\\\"action\\\"%s%s%s%s\" wide ascii\r\n $str4 = \"name=\\\"token\\\"%s%s%u%s\" wide ascii\r\n $boundary = \"--N9dLfqxHNUUw8qaUPqggVTpX-\" wide ascii nocase\r\n condition:\r\n any of ($str*) or $boundary\r\n}\r\nrule M_Hunting_FASTREVERSEPROXY\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n md5 = \"19dbffec4e359a198daf4ffca1ab9165\"\r\n strings:\r\n $ss1 = \"Go build ID:\" fullword\r\n $ss2 = \"Go buildinf:\" fullword\r\n $ss3 = \"net/http/httputil.(*ReverseProxy).\" ascii\r\n $ss4 = \"github.com/fatedier/frp/client\" ascii\r\n $ss5 = \"\\\"server_port\\\"\" ascii\r\n $ss6 = \"github.com/armon/go-socks5.proxy\" ascii\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them\r\n}\r\nSnort Rules\r\nhttps://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise\r\nPage 14 of 16\n\nalert tcp any any -\u003e any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"raw.githubusercontent\r\nalert tcp any any -\u003e any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"3cx_auth_id=%s\\;3cx_au\r\nalert tcp any any -\u003e any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"__tutma\"; threshold:ty\r\nalert tcp any any -\u003e any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"__tutmc\"; threshold:ty\r\nMandiant Security Validation\r\nOrganizations can validate their security controls using the following actions with Mandiant Security Validation.\r\nVID Name\r\nA106-\r\n319\r\nCommand and Control - UNC4736, DNS Query, Variant #1\r\nA106-\r\n321\r\nCommand and Control - UNC4736, DNS Query, Variant #2\r\nA106-\r\n323\r\nCommand and Control - UNC4736, DNS Query, Variant #3\r\nA106-\r\n324\r\nHost CLI - UNC4736, 3CX Run Key, Registry Modification\r\nA106-\r\n322\r\nMalicious File Transfer - UNC4736, SUDDENICON, Download, Variant #1\r\nS100-272\r\nEvaluation: UNC4736 Conducting Supply Chain Attack Targeting 3CX Phone Management\r\nSystem\r\nPosted in\r\nThreat Intelligence\r\nhttps://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise\r\nPage 15 of 16\n\nSource: https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise\r\nhttps://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise" ], "report_names": [ "3cx-software-supply-chain-compromise" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c306e698-3b48-46d7-b571-3dfa0c828379", "created_at": "2023-05-16T02:02:09.957677Z", "updated_at": "2026-04-10T02:00:03.364345Z", "deleted_at": null, "main_name": "APT43", "aliases": [], "source_name": "MISPGALAXY:APT43", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e265bb3a-eb4c-4999-9b1d-c24a0d05a7f0", "created_at": "2023-12-21T02:00:06.096716Z", "updated_at": "2026-04-10T02:00:03.502439Z", "deleted_at": null, "main_name": "UNC4736", "aliases": [], "source_name": "MISPGALAXY:UNC4736", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434626, "ts_updated_at": 1775826709, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/98ab50f7bea77812998f357f90b6f2f396ca4cef.pdf", "text": "https://archive.orkl.eu/98ab50f7bea77812998f357f90b6f2f396ca4cef.txt", "img": "https://archive.orkl.eu/98ab50f7bea77812998f357f90b6f2f396ca4cef.jpg" } }