{
	"id": "ecc6462f-45ee-4d4d-9f11-4f79721d8755",
	"created_at": "2026-04-06T00:19:10.54896Z",
	"updated_at": "2026-04-10T03:23:51.883554Z",
	"deleted_at": null,
	"sha1_hash": "d1f274ad40b2580dec88561ca4cd6c73f9fc2454",
	"title": "Investigating 3CX Desktop Application Attacks: What You Need to Know",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 232187,
	"plain_text": "Investigating 3CX Desktop Application Attacks: What You Need to\r\nKnow\r\nBy Threat Analysis Unit\r\nPublished: 2023-03-31 · Archived: 2026-04-05 17:55:15 UTC\r\nThis is a developing situation and this blog post will be updated as needed. \r\nReports of malicious code associated with the 3CX desktop application – part of the 3CX VoIP (Voice over\r\nInternet Protocol) platform – began on March 22, 2023. On March 30, 2023, 3CX confirmed the compromise,\r\nnoting the affected 3CX desktop app versions were 18.12.407 and 18.12.416 for Windows and 18. 11.1213,\r\n18.12.402, 18.12.407 and 18.12.416 versions for Mac. NIST National Vulnerability Database has assigned CVE-2023-29059 to track this issue. \r\nReports indicate that one of the bundled libraries included with the 3CX Windows and Mac desktop clients had\r\nbeen altered to contact command and control infrastructure, including a GitHub repository, to deliver second-stage\r\nmalware. According to 3CX, the malicious domains and the GitHub repository have since been taken down.  \r\nWhat is the potential impact?  \r\nSoftware supply chain attacks, as seen with the SolarWinds attack in December 2020, can lead to security teams\r\ndiscovering that their environment has been breached months prior in what is disguised as a standard software\r\nupdate. This highlights the challenges associated with software validation as part of supply chains. The impact of\r\nsuch an attack can be devastating, causing long-term damage to the business, its reputation, and its customers \r\nIn the case of this 3CXDesktopApp attack, there is not yet enough information on how the compromised code\r\nended up being included with 3CX digitally signed installers. 3CX has hired Mandiant to assist with forensic\r\nactivities.  \r\nObservations by VMware Threat Analysis Unit \r\nNote: This is a developing situation and threat analysis will be updated as needed. \r\nVMware Contexa detected the first connections to the C2 domains included in the ICO files as early as 2023-03-\r\n06 (akamaitechcloudservices[.]com) and 2023-03-07 (pbxphonenetwork[.]com, sbmsa[.]wiki,\r\nazureonlinestorage[.]com, officeaddons[.]com, pbxsources[.]com, officestoragebox[.]com). See Figure 1 for the\r\nwhole timeline.  \r\nhttps://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html\r\nPage 1 of 5\n\nFigure 1: Connections to C2 domains as detected by VMware Contexa. \r\nTLS connections to visualstudiofactory[.]com taking place on 2023-03-24 and later were established to a server\r\nwith a certificate with the following hash\r\n‘cda34a2b46a2269dc5934967175656a81bd3667a21855273dc2c777f8bd2d4c9’, valid from 2022-11-17, expiring\r\non 2023-11-17, and issued by “C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA\r\nDomain Validation Secure Server CA”. The recorded JA3S is 61be9ce3d068c08ff99a857f62352f9d, although note\r\nthat it is only useful when looking for TLS connections established by the compromised 3CX desktop app. \r\n A search on Censys can also reveal that the host had been online since 2022-11-19; our telemetry, however, does\r\nnot show any activity related to this C2 domain prior to March 2023. \r\nCurrent hashes identified to be banned are the following:  \r\nCompromised parents/Installers \r\n59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 \r\naa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 \r\n7c55c3dfa373b6b342390938029cb76ef31f609d9a07780772c6010a4297e321 \r\ne32cc0103827e8eef5881bd6fcae30ccc6bf6d68e8378c007a8fac2d8edbc071 \r\nB5e318240401010e4453e146e3e67464dd625cfef9cd51c5015d68550ee8cc09 \r\nZip file \r\n5c54932fdbb077d73c58ac41a1ad3f6ea5576b3e1f719c8b714b637c9ceb361b \r\nb57d7e6c47516aeb1fd8384a9bc002f8c637b7d42b8f008a0c9e872914344dad \r\nhttps://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html\r\nPage 2 of 5\n\nffmpeg.dll   \r\n7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896 \r\nc485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360fff7f8eb4e02 \r\n253f3a53796f1b0fbe64f7b05ae1d66bc2b0773588d00c3d2bf08572a497fa59  \r\nd3dcompiler_47.dll \r\n11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03 \r\nSecondary stage Payloads \r\n851c2c99ebafd4e5e9e140cfe3f2d03533846ca16f8151ae8ee0e83c692884b7  \r\n6a0f637546684c90809cf264c22a861c9a07b1ca3b2ef6a359a14d612e392c1a  \r\naa4e398b3bd8645016d8090ffc77d15f926a8e69258642191deb4e68688ff973 \r\nF5fdefaa5321e2cea02ef8b479de8ec3c5505e956ea1484c84a7abb17231fe24 \r\n8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423 \r\nMacOS Samples \r\n5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290 \r\nfee4f9dabc094df24d83ec1a8c4e4ff573e5d9973caa676f58086c99561382d7 \r\ne6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec \r\na64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67 \r\nb86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb \r\nfd15a9619987925827ede24efa8990c3680c9c0b4a76eb1c43031de39c1b7ae1 \r\n9a47c9a3f7cf26ddc1fdb90dc48d30d69448e6d8ab64cc57dcb285c6b9d846c3 \r\n92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61 \r\nc649e7c1897bfd30aad85c6b6736fcb2d002a7eaf64186eea00c1a44d6220803 \r\nfdad2f34e466782e4b272d3f8505c49c3bb6269c8d5fd8846f0cc399f9744cba \r\n87c5d0c93b80acf61d24e7aaf0faae231ab507ca45483ad3d441b5d1acebc43c \r\nHow can you protect your organization?  \r\n3CX has provided mitigation guidance, which includes a recommendation to uninstall the 3CX desktop app. As of\r\nthis writing, an updated desktop app was being prepared by 3CX.  \r\nOne of the biggest challenges with supply chain attacks is that they are challenging to detect. Because the attack\r\noccurs through a third-party vendor, the business may not even be aware that an attack has taken place until it is\r\ntoo late. Organizations can minimize overall risk of a supply chain attack by following security best practices.\r\nThese include: \r\nDeveloping a robust security strategy that encompasses the entire supply chain. This means conducting\r\nthorough security checks on all vendors, ensuring that they have appropriate security measures in place,\r\nand regularly monitoring their systems for any potential threats. \r\nhttps://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html\r\nPage 3 of 5\n\nImplementing endpoint and network security solutions that can detect and respond to threats in real-time,\r\nas well as advanced threat detection solutions that can identify potential anomalous threats as they occur. \r\nEnsuring a solid incident response plan is in place in case of a supply chain attack. This includes\r\nidentifying the key stakeholders who need to be notified, as well as having a clear process in place for\r\ncontaining and mitigating the attack.\r\nBy taking these steps, businesses can reduce the risk of a supply chain attack and ensure the safety and security of\r\ntheir operations and customers.  \r\nHow can VMware security products help?  \r\nThe hashes listed in this blog post have a known malware reputation and should be blocked automatically\r\nby Carbon Black Cloud. \r\nCarbon Black EDR customers can search for netconn traffic to the domains listed in this blog post. \r\nCarbon Black App Control customers can ban the hashes listed in this blog post. \r\nCarbon Black customers can also find additional product related details and instructions by logging on to\r\nthe user community and accessing this link: HERE\r\nFor NSX Advanced Threat Prevention (ATP), all published indicators are currently detected as\r\nmalicious. Where guest virtual machines are protected by the Distributed Malware Prevention Service\r\nleveraging Guest Introspection, all malicious DLL files associated with this threat can be mitigated with a\r\n‘detect and prevent’ malware prevention profile (Figure 2 shows how NSX ATP detect the malicious DLLs\r\nthrough Guest Introspection). NSX ATP has also anomaly-based detectors specifically tailored to identify\r\nanomalous beaconing; the malicious domains associated with 3CXDesktopApp are now part of the\r\nnetwork reputation feed provided by NSX ATP. \r\nFigure 2: User interface of NSX Guest Introspection Malware Prevention Service. \r\nNSX ATP Standalone customers can also increase upload limits to support analyzing large files (up to\r\n100MB on on-premise, see the following article for instructions on how to change this: INSTRUCTIONS),\r\nand threat hunt for the associated malicious network activity via the Network Explore console using the\r\nhttps://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html\r\nPage 4 of 5\n\nfollowing search query: “akamaicontainer.com OR akamaitechcloudservices.com OR\r\nazuredeploystore.com OR azureonlinecloud.com OR azureonlinestorage.com OR dunamistrd.com OR\r\nglcloudservice.com OR journalide.org OR msedgepackageinfo.com OR msstorageazure.com OR\r\nmsstorageboxes.com OR officeaddons.com OR officestoragebox.com OR pbxcloudeservices.com OR\r\npbxphonenetwork.com OR pbxsources.com OR sbmsa.wiki OR sourceslabs.com OR\r\nvisualstudiofactory.com OR zacharryblogs.com OR  qwepoi123098.com”. \r\nSource: https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html\r\nhttps://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html"
	],
	"report_names": [
		"investigating-3cx-desktop-application-attacks-what-you-need-to-know.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434750,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d1f274ad40b2580dec88561ca4cd6c73f9fc2454.pdf",
		"text": "https://archive.orkl.eu/d1f274ad40b2580dec88561ca4cd6c73f9fc2454.txt",
		"img": "https://archive.orkl.eu/d1f274ad40b2580dec88561ca4cd6c73f9fc2454.jpg"
	}
}