{
	"id": "f001caa4-963a-490b-a6d1-57b304a81acb",
	"created_at": "2026-04-06T00:15:07.674941Z",
	"updated_at": "2026-04-10T13:12:02.621035Z",
	"deleted_at": null,
	"sha1_hash": "a7941fa7a119e396334c5e0e12641a0b912480a5",
	"title": "Elastic users protected from SUDDENICON’s supply chain attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1026008,
	"plain_text": "Elastic users protected from SUDDENICON’s supply chain attack\r\nBy Daniel Stepanic, Remco Sprooten, Joe Desimone, Samir Bousseaden, Devon Kerr\r\nPublished: 2023-05-05 · Archived: 2026-04-05 21:13:48 UTC\r\nKey takeaways\r\nElastic users are protected from supply chain attacks targeting the 3CX users\r\nHow the execution flow operates is actively being investigated by Elastic Security Labs and other research teams\r\nIrrespective of the anti-malware technology you are using, shellcode and process injection alerts for 3CX should not\r\nbe added to exception lists\r\nPreamble\r\nOn March 29, 2023, CrowdStrike reported a potential supply-chain compromise affecting 3CX VOIP softphone users as\r\ndetailed in a Reddit post. Elastic Security Labs continues to monitor telemetry for evidence of threat activity and will\r\nprovide updates as more evidence becomes available. The earliest period of potentially malicious activity is currently\r\nunderstood to be on or around March 22, 2023 as reported by Todyl.\r\n3CX states it is used by over 600,000 companies and over 12,000,000 users, so Elastic Security Labs is releasing a triage\r\nanalysis to assist 3CX customers in the initial detection of SUDDENICON, with follow-on malware and intrusion analysis\r\nto be released at a later date.\r\nIn this informational update, Elastic Security Labs provides the following: - Potential malicious domains associated with\r\nmalware activity - File hashes for 3CX Windows and MacOS clients which may be impacted - Elastic queries and prebuilt\r\nprotections which may be relevant to this activity - YARA rules to identify the SUDDENICON malware\r\nSUDDENICON triage analysis\r\nThe 3CXDesktopApp installer MSI appears to contain malicious code which waits seven days post-installation before\r\ndownloading additional files from GitHub and communicating with malicious command-and-control domains. The client\r\napplication writes ffmpeg.dll and d3dcompiler\\_47.dll to disk, the latter of which contains a payload we refer to as\r\nSUDDENICON. Both libraries in our sampling appear to have been backdoored. It should be noted that ffmpeg.dll and\r\nd3dcompiler\\_47.dll are both legitimate file names and rules should not be created on them alone.\r\nffmpeg.dll referencing the d3dcompiler_47.dll file\r\nThe ffmpeg.dll binary extracts SUDDENICON from d3dcompiler\\_47.dll by seeking the FEEDFACE byte sequence\r\nand decrypting using a static RC4 key ( 3jB(2bsG#@c7 ). The resulting payload is then loaded in memory as the second-stage\r\npayload. A shellcode stub prepended to the payload used to map it into memory shares similarities with APPLEJEUS loader\r\nstubs, which have been associated with DPRK. Upon successfully executing, this shellcode stub writes a new file (\r\nmanifest ) to disk with a timestamp 7 days in the future, used to implement a timer after which the malware connects to\r\nthe C2 infrastructure.\r\nffmpeg.dll loading the d3dcompiler_47.dll file\r\nC2 domains are retrieved by downloading and base64-decoding the trailing bytes appended to icon files staged in the\r\nIconStorages Github repository (this repository has been removed by Github). This repo was created by GitHub ID\r\nhttps://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack\r\nPage 1 of 5\n\n120072117 on December 8, 2022, and most recently updated on March 16, 2023. After initially connecting to an active C2\r\nserver, the malware performs a POST containing a machine identifier. It then downloads and decrypts a new executable.\r\nSUDDENICON downloading a new executable\r\nInitial analysis of the new executable appears to be an information stealer. We’ll release an update once the analysis has been\r\ncompleted.\r\nThe CEO of 3CX has recommended uninstalling the software; a small number of community forum posts outline how\r\nsecurity tooling is reacting to potential malware behaviors, and CrowdStrike and SentinelOne have published initial\r\ninformation. It appears likely that the threat was able to introduce adversary-created malicious software via update channels,\r\noverwriting otherwise benign components of the 3CXDesktopApp. Users may accidentally self-infect, as well.\r\nDetection logic\r\nPrevention\r\nMemory Threat Detection Alert: Shellcode injection\r\nWindows.Trojan.SuddenIcon\r\nMemory Threat Detection Alert: Shellcode injection\r\nHunting queries\r\nThe events for both KQL and EQL are provided with the Elastic Agent using the Elastic Defend integration. Hunting queries\r\ncould return high signals or false positives. These queries are used to identify potentially suspicious behavior, but an\r\ninvestigation is required to validate the findings.\r\nKQL queries\r\nhttps://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack\r\nPage 2 of 5\n\nThe following KQL query can be used to identify 3CX-signed software performing name resolution of\r\nraw.githubusercontent.com, where malicious applications related to this threat have been staged:\r\nprocess.name : \"3CXDesktopApp.exe\" and dns.question.name : \"raw.githubusercontent.com\"\r\nThe following KQL query can be used to identify several host-based indicators of this activity:\r\ndll.hash.sha256 : \"7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896\" or dll.hash.sha256 :\r\n\"c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02\"\r\nEQL queries\r\nUsing the Timeline section of the Security Solution in Kibana under the “Correlation” tab, you can use the below EQL\r\nqueries to hunt for similar behaviors.\r\nThe following EQL query can be used to profile 3CX software and child software:\r\nany where process.code_signature.subject_name == \"3CX Ltd\"or process.parent.code_signature.subject_name ==\r\n\"3CX Ltd\"\r\nThe following EQL query can be used to identify 3CX-signed software performing name resolution of\r\nraw.githubusercontent.com, where malicious applications related to this threat have been staged:\r\nnetwork where process.code_signature.subject_name == \"3CX Ltd\" and dns.question.name ==\r\n“raw.githubusercontent.com”\r\nThe following EQL query can be used to identify files written by the 3CXDesktopApp client:\r\nfile where event.type == \"creation\" and (host.os.type == \"windows\" and file.path :\r\n\"*:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\C3XDesktopApp\\\\app\\\\*\" and file.name : (\"manifest\")) or (host.os.type\r\n== \"macos\" and file.path : \"*/Library/Application Support/3CX Desktop App/\" and file.name : (\"UpdateAgent\",\r\n\".main_storage\", \".session-lock\")\r\nThe following EQL query can be used to identify several host-based indicators of this activity:\r\nsequence by host.name, process.entity_id[process where process.code_signature.subject_name:\"3CX Ltd\"][library\r\nwhere\r\ndll.hash.sha256:\"c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02\",\"7986bbaee8940da11ce089383521ab420c443ab7b15ed42a\r\n[network where dns.question.name:\"raw.githubusercontent.com\"]\r\nThe following EQL query can be used to identify this activity if the DLL is updated:\r\nlibrary where process.code_signature.subject_name : \"3CX Ltd\" and not dll.code_signature.trusted == true and\r\nnot startswith~(dll.name, process.name) and /* DLL loaded from the process.executable directory */ endswith~\r\n(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0,\r\nlength(process.executable) - (length(process.name) + 1)))\r\nYARA\r\nElastic Security Labs has released two YARA signatures for the malicious shellcode, which we refer to as SUDDENICON.\r\nDefensive recommendations\r\nElastic Endgame and Elastic Endpoint customers with shellcode protections enabled in prevention mode blocked the\r\nexecution of SUDDENICON, though any compromised client software may need to be removed. Due to the delayed\r\nshellcode retrieval and injection, 3CXDesktopApp users may not see alerts until the sleep interval passes (approximately 7\r\ndays). Customers who are using shellcode protections in detect-only mode should enable prevention to mitigate the risk of\r\ninfection. Do not create exceptions for these alerts.\r\nhttps://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack\r\nPage 3 of 5\n\nEnabling the Memory threat protection feature in Prevent mode\r\nReferences\r\nThe following were referenced throughout the above research: -\r\nhttps://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ -\r\nhttps://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/ - https://www.todyl.com/blog/post/threat-advisory-3cx-softphone-telephony-campaign\r\nIndicators\r\nPotentially malicious domains\r\nBold domains indicate that they were observed in our analysis.\r\nakamaicontainer[.]com\r\nakamaitechcloudservices[.]com\r\nazuredeploystore[.]com\r\nazureonlinecloud[.]com\r\nazureonlinestorage[.]com\r\ndunamistrd[.]com\r\nglcloudservice[.]com\r\njournalide[.]org\r\nmsedgepackageinfo[.]com\r\nmsstorageazure[.]com\r\nmsstorageboxes[.]com\r\nofficeaddons[.]com\r\nofficestoragebox[.]com\r\npbxcloudeservices[.]com\r\npbxphonenetwork[.]com\r\npbxsources[.]com\r\nqwepoi123098[.]com\r\nsbmsa[.]wiki\r\nsourceslabs[.]com\r\nvisualstudiofactory[.]com\r\nzacharryblogs[.]com\r\nPotentially impacted 3CXDesktopApp versions and hashes:\r\nClient hash: dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc OS: Windows Installer hash:\r\naa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 Installer filename: 3cxdesktopapp-18.12.407.msi\r\nClient hash: fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405 OS: Windows Installer hash:\r\n59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 Installer filename: 3cxdesktopapp-18.12.416.msi\r\nhttps://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack\r\nPage 4 of 5\n\nClient hash: 92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61 OS: macOS Installer hash:\r\n5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290 Installer filename: 3CXDesktopApp-18.11.1213.dmg\r\nClient hash: b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb OS: macOS Installer hash:\r\ne6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec Installer filename: 3cxdesktopapp-latest.dmg\r\nSource: https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack\r\nhttps://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack"
	],
	"report_names": [
		"elastic-users-protected-from-suddenicon-supply-chain-attack"
	],
	"threat_actors": [
		{
			"id": "544ecd2c-82c9-417c-9d98-d1ae395df964",
			"created_at": "2025-10-29T02:00:52.035025Z",
			"updated_at": "2026-04-10T02:00:05.408558Z",
			"deleted_at": null,
			"main_name": "AppleJeus",
			"aliases": [
				"AppleJeus",
				"Gleaming Pisces",
				"Citrine Sleet",
				"UNC1720",
				"UNC4736"
			],
			"source_name": "MITRE:AppleJeus",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434507,
	"ts_updated_at": 1775826722,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a7941fa7a119e396334c5e0e12641a0b912480a5.pdf",
		"text": "https://archive.orkl.eu/a7941fa7a119e396334c5e0e12641a0b912480a5.txt",
		"img": "https://archive.orkl.eu/a7941fa7a119e396334c5e0e12641a0b912480a5.jpg"
	}
}