{ "id": "008e206d-e72e-41b1-935d-a7e1eaa93223", "created_at": "2026-04-06T00:13:10.752776Z", "updated_at": "2026-04-10T03:38:19.620315Z", "deleted_at": null, "sha1_hash": "b19e739c901b883a6df6d772f2f2f6034e154eb8", "title": "CrowdStrike Prevents 3CXDesktopApp Intrusion Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 315252, "plain_text": "CrowdStrike Prevents 3CXDesktopApp Intrusion Campaign\r\nBy CrowdStrike\r\nArchived: 2026-04-05 20:49:13 UTC\r\nNote: Content from this post first appeared in r/CrowdStrike\r\n3/31 UPDATE After review and reverse engineering by the CrowdStrike Intelligence team, the signed MSI\r\n( aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 ) is malicious.\r\nThe MSI will drop three files, with the primary fulcrum being the compromised binary ffmpeg.dll\r\n( 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896 ).\r\nOnce active, the HTTPS beacon structure and encryption key match those observed by CrowdStrike in a March 7, 2023\r\ncampaign attributed with high confidence to DPRK-nexus threat actor LABYRINTH CHOLLIMA.\r\nAll Falcon customers can view our actor profile on LABYRINTH CHOLLIMA (US-1 | US-2 | EU-1 | US-GOV-1)\r\nCrowdStrike Intelligence Premium subscribers can view the following reports for full technical details:\r\nCSA-230387: LABYRINTH CHOLLIMA Uses TxRLoader and Vulnerable Drivers to Target Financial and Energy\r\nSectors (US-1 | US-2 | EU-1 | US-GOV-1)\r\nCSA-230489: LABYRINTH CHOLLIMA Suspected of Conducting Supply Chain Attack with 3CX Application\r\n(US-1 | US-2 | U-1 | US-GOV-1)\r\nCSA-230494: ArcfeedLoader Malware Used in Supply Chain Attack Leveraging Trojanized 3CX Installers Confirms\r\nAttribution to LABYRINTH CHOLLIMA (US-1 | US-2 | U-1 | US-GOV-1)\r\nCrowdStrike recommends removing the 3CX software from endpoints until advised by the vendor that future installers and\r\nbuilds are safe.\r\nFalcon Spotlight customers can search for CVE-2023-3CX to identify vulnerable versions of 3CX software. Spotlight will\r\nautomatically highlight this vulnerability in your vulnerability feed.\r\nOriginal Post\r\nOn March 29, 2023, CrowdStrike observed unexpected malicious activity emanating from a legitimate, signed binary,\r\n3CXDesktopApp — a softphone application from 3CX. The malicious activity includes beaconing to actor-controlled\r\ninfrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.\r\nThe CrowdStrike Falcon® platform has behavioral preventions and atomic indicator detections targeting the abuse of\r\n3CXDesktopApp. In addition, CrowdStrike® Falcon OverWatch™ helps customers stay vigilant against hands-on-keyboard\r\nactivity.\r\nCrowdStrike customers can log into the customer support portal and follow the latest updates in Trending Threats \u0026\r\nVulnerabilities: Intrusion Campaign Targeting 3CX Customers\r\nThe 3CXDesktopApp is available for Windows, macOS, Linux and mobile. At this time, activity has been observed on both\r\nWindows and macOS.\r\nCrowdStrike Intelligence has assessed there is suspected nation-state involvement by the threat actor LABYRINTH\r\nCHOLLIMA. CrowdStrike Intelligence customers received an alert this morning on this active intrusion.\r\nGet fast and easy protection with built-in threat intelligence — request a free trial of CrowdStrike Falcon® Pro today.\r\nCrowdStrike Falcon Detection and Protection\r\nWatch how the CrowdStrike Falcon platform detects and prevents an active intrusion campaign targeting 3CXDesktopApp\r\nusers.\r\nThe CrowdStrike Falcon platform protects customers from this attack and has coverage utilizing behavior-based indicators\r\nof attack (IOAs) and indicators of compromise (IOCs) based detections targeting malicious behaviors associated with 3CX\r\non both macOS and Windows.\r\nCustomers should ensure that prevention policies are properly configured with Suspicious Processes enabled.\r\nhttps://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/\r\nPage 1 of 4\n\nFigure 1. CrowdStrike’s indicator of attack (IOA) identifies and blocks the malicious behavior in macOS (click to enlarge)\r\nFigure 2. CrowdStrike’s indicator of attack (IOA) identifies and blocks the malicious behavior in Windows (click to enlarge)\r\nHunting in the CrowdStrike Falcon Platform\r\nFalcon Discover CrowdStrike Falcon® Discover customers can use the following link: US-1 | US-2 | EU-1 | US-GOV-1 to\r\nlook for the presence of 3CXDesktopApp in their environment.\r\nFalcon Insight customers can assess if the 3CXDesktopApp is running in their environment with the following query:\r\nEvent Search — Application Search\r\nevent_simpleName IN (PeVersionInfo, ProcessRollup2) FileName IN (\"3CXDesktopApp.exe\", \"3CX Desktop App\")\r\n| stats dc(aid) as endpointCount by event_platform, FileName, SHA256HashData\r\nFalcon Long Term Repository (LTR) powered by Falcon LogScale — Application Search\r\n#event_simpleName=/^(PeVersionInfo|ProcessRollup2)$/ AND (event_platform=Win ImageFileName=/\\\\3CXDesktopApp\\.exe$/i) OR (\r\n| ImageFileName = /.+(\\\\|\\/)(?\u003cFileName\u003e.+)$/i\r\n| groupBy(, function=count(aid, distinct=true, as=endpointCount))\r\nAtomic Indicators\r\nhttps://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/\r\nPage 2 of 4\n\nThe following domains have been observed beaconing, which should be considered an indication of malicious inte\r\nakamaicontainer\u003c.\u003ecom\r\nakamaitechcloudservices\u003c.\u003ecom\r\nazuredeploystore\u003c.\u003ecom\r\nazureonlinecloud\u003c.\u003ecom\r\nazureonlinestorage\u003c.\u003ecom\r\ndunamistrd\u003c.\u003ecom\r\nglcloudservice\u003c.\u003ecom\r\njournalide\u003c.\u003eorg\r\nmsedgepackageinfo\u003c.\u003ecom\r\nmsstorageazure\u003c.\u003ecom\r\nmsstorageboxes\u003c.\u003ecom\r\nofficeaddons\u003c.\u003ecom\r\nofficestoragebox\u003c.\u003ecom\r\npbxcloudeservices\u003c.\u003ecom\r\npbxphonenetwork\u003c.\u003ecom\r\npbxsources\u003c.\u003ecom\r\nqwepoi123098\u003c.\u003ecom\r\nsbmsa\u003c.\u003ewiki\r\nsourceslabs\u003c.\u003ecom\r\nvisualstudiofactory\u003c.\u003ecom\r\nzacharryblogs\u003c.\u003ecom\r\nCrowdStrike Falcon® Insight customers, regardless of retention period, can search for the presence of these domains in their\r\nenvironment spanning back one year using Indicator Graph: US-1 | US-2 | EU-1 | US-GOV-1. Event Search — Domain\r\nSearch\r\nevent_simpleName=DnsRequest DomainName IN (akamaicontainer.com, akamaitechcloudservices.com, azuredeploystore.com, azureo\r\n| stats dc(aid) as endpointCount, earliest(ContextTimeStamp_decimal) as firstSeen, latest(ContextTimeStamp_decimal) as las\r\n| convert ctime(firstSeen) ctime(lastSeen)\r\nFalcon LTR — Domain Search\r\n#event_simpleName=DnsRequest\r\n| in(DomainName, values=)\r\n| groupBy(, function=())\r\n| firstSeen := firstSeen * 1000 | formatTime(format=\"%F %T.%L\", field=firstSeen, as=\"firstSeen\")\r\n| lastSeen := lastSeen * 1000 | formatTime(format=\"%F %T.%L\", field=lastSeen, as=\"lastSeen\")\r\n| sort(endpointCount, order=desc)\r\nFile Details\r\nSHA256\r\nOperating\r\nSystem\r\nInstaller SHA256\r\ndde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc Windows aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be3\r\nfad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405 Windows 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850b\r\n92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61 macOS 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae1\r\nb86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb macOS e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5\r\nRecommendations\r\nThe current recommendation for all CrowdStrike customers is:\r\n1. Locate the presence of 3CXDesktopApp software in your environment by using the queries outlined above.\r\n2. Ensure Falcon is deployed to applicable systems.\r\n3. Ensure “Suspicious Processes” is enabled in applicable Prevention Policies.\r\n4. Hunt for historical presence of atomic indicators in third-party tooling (if available).\r\nhttps://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/\r\nPage 3 of 4\n\nCrowdStrike Intelligence Confidence Assessment\r\nHigh Confidence: Judgments are based on high-quality information from multiple sources. High confidence in the quality\r\nand quantity of source information supporting a judgment does not imply that that assessment is an absolute certainty or\r\nfact. The judgment still has a marginal probability of being inaccurate.\r\nModerate Confidence: Judgments are based on information that is credibly sourced and plausible, but not of sufficient\r\nquantity or corroborated sufficiently to warrant a higher level of confidence. This level of confidence is used to express that\r\njudgments carry an increased probability of being incorrect until more information is available or corroborated.\r\nLow Confidence: Judgments are made where the credibility of the source is uncertain, the information is too fragmented or\r\npoorly corroborated enough to make solid analytic inferences, or the reliability of the source is untested. Further information\r\nis needed for corroboration of the information or to fill known intelligence gaps.\r\nAdditional Resources\r\nRequest a free CrowdStrike Intelligence threat briefing and learn how to stop adversaries targeting your\r\norganization.\r\nThe industry-leading CrowdStrike Falcon platform sets the new standard in cybersecurity. Watch this demo to see the\r\nFalcon platform in action.\r\nExperience how the industry-leading CrowdStrike Falcon platform protects against modern threats. Start your 15-\r\nday free trial today.\r\nFind more information on this situation on our Trending Threats \u0026 Vulnerabilities: Intrusion Campaign Targeting\r\n3CX Customers tracking page.\r\nSource: https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/\r\nhttps://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/" ], "report_names": [ "crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434390, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b19e739c901b883a6df6d772f2f2f6034e154eb8.pdf", "text": "https://archive.orkl.eu/b19e739c901b883a6df6d772f2f2f6034e154eb8.txt", "img": "https://archive.orkl.eu/b19e739c901b883a6df6d772f2f2f6034e154eb8.jpg" } }