{
	"id": "1898e4a7-8f2f-45b6-b563-ddaca2aa7574",
	"created_at": "2026-04-06T00:17:23.21328Z",
	"updated_at": "2026-04-10T03:21:48.470379Z",
	"deleted_at": null,
	"sha1_hash": "dbe880ca6939fcdce7196bfc154de6f098202ab1",
	"title": "Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign | Rapid7 Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 69262,
	"plain_text": "Backdoored 3CXDesktopApp Installer Used in Active Threat\r\nCampaign | Rapid7 Blog\r\nBy Rapid7\r\nPublished: 2023-03-30 · Archived: 2026-04-05 16:12:50 UTC\r\nEmergent threats evolve quickly. We will update this blog with new information as it comes to light and we are\r\nable to verify it. Erick Galinkin, Ted Samuels, Zach Dayton, Eoin Miller, Caitlin Condon, Stephen Fewer, Spencer\r\nMcIntyre, and Christiaan Beek all contributed to this blog.\r\nOn Wednesday, March 29, 2023, multiple security firms issued warnings about malicious activity coming from a\r\nlegitimate, signed binary from communications technology company 3CX. The binary, 3CXDesktopApp, is\r\npopular video-conferencing software available for download on all major platforms. Several analyses have\r\nattributed the threat campaign to state-sponsored threat actors, and security firms have observed malicious activity\r\nin both Windows and Mac environments.\r\nRapid7’s threat research teams analyzed the 3CXDesktopApp Windows binary and confirmed that the 3CX MSI\r\ninstaller drops the following files: 3CXDesktopApp.exe, a benign file that loads the backdoored ffmpeg.dll, which\r\nreads an RC4-encrypted blob after the hexadecimal demarcation of fe ed fa ce in d3dcompiler.dll. The RC4-\r\nencrypted blob in d3dcompiler.dll is executable code that is reflectively loaded and retrieves .ico files with\r\nappended Base64-encoded strings from GitHub. The encoded strings appear to be command-and-control (C2)\r\ncommunications. There is a non-exhaustive list of indicators of compromise (IOCs) at the end of this blog.\r\nRapid7 reached out to GitHub’s security team the evening of March 29 about the GitHub repository being used as\r\nadversary infrastructure in this campaign. As of 9:40 PM ET, the malicious user has been suspended and the\r\nrepository is no longer available.\r\nRapid7 Managed Detection and Response (MDR) has observed the backdoored 3CX installer and components in\r\nseveral customer environments as of March 29, 2023. Rapid7 MDR is in contact with customers that we believe\r\nmay be impacted.\r\nMitigation Guidance\r\nOfficial guidance from 3CX confirms that the following clients and versions are affected:\r\nElectron Windows App (shipped in Update 7) versions 18.12.407 and 18.12.416\r\nElectron Mac App versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416\r\nAs of March 30 at 11 AM ET, 3CX has not confirmed which versions of the 3CXDesktopApp are definitively\r\nunaffected.\r\nUpdate March 31: 3CX has released new versions of their Windows and Mac Electron app as of March 31. Their\r\nupdate included the following statement:\r\nhttps://www.rapid7.com/blog/post/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/\r\nPage 1 of 4\n\n\"The Electron App update that we are releasing today is considered to be secure but there is no guarantee given\r\nthat we only had 24 hours to make the necessary adjustments.\"\r\nRapid7 is continuing to advise customers to pursue a conservative mitigation strategy of uninstalling\r\n3CXDesktopApp on all platforms and removing any artifacts left behind. Users should retroactively hunt for\r\nindicators of compromise and block known-bad domains. There is a non-exhaustive list of known-bad domains\r\nand malicious file hashes at the end of this blog.\r\n3CX has a browser-based Progressive Web App (PWA) that does not require the user to download an executable\r\nfile. Users should leverage this PWA for the time being instead of downloadable clients. 3CX is intermittently\r\nissuing updated guidance here.\r\nRapid7 customers\r\nThe following new rules have been added for Rapid7 InsightIDR and Managed Detection \u0026 Response (MDR)\r\ncustomers and will alert on known-bad hashes and file versions of the backdoored executable, as well as known-bad domains in WEB_PROXY and DNS logs:\r\nSuspicious Web Request - 3CX Desktop Supply Chain Compromise\r\nSuspicious DNS Request - 3CX Desktop Supply Chain Compromise\r\nSuspicious Process - 3CX Desktop Supply Chain Compromise\r\nInsightVM and Nexpose customers can use Query Builder (asset.software.product CONTAINS '3CX Desktop\r\nApp') or a Filtered Asset Search (Software Name contains 3CX Desktop App) to find assets in their environment\r\nwith 3CX installed. The March 30 content release also contains a check that will report any installed version of\r\n3CX Desktop App as vulnerable. This check may be refined as new information regarding vulnerable versions\r\ncomes to light.\r\nA Velociraptor artifact is available here.\r\nIndicators of compromise\r\nA non-exhaustive list of known-bad domains is below. We advise blocking these immediately:\r\nakamaicontainer[.]com\r\nakamaitechcloudservices[.]com\r\nazuredeploystore[.]com\r\nazureonlinecloud[.]com\r\nazureonlinestorage[.]com\r\nconvieneonline[.]com\r\ndunamistrd[.]com\r\nglcloudservice[.]com\r\njournalide[.]org\r\nmsedgepackageinfo[.]com\r\nmsstorageazure[.]com\r\nmsstorageboxes[.]com\r\nhttps://www.rapid7.com/blog/post/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/\r\nPage 2 of 4\n\nofficeaddons[.]com\r\nofficestoragebox[.]com\r\npbxcloudeservices[.]com\r\npbxphonenetwork[.]com\r\npbxsources[.]com\r\nqwepoi123098[.]com\r\nsbmsa[.]wiki\r\nsourceslabs[.]com\r\nSoyoungjun[.]com\r\nvisualstudiofactory[.]com\r\nzacharryblogs[.]com\r\nMore granular URLs our team has decrypted from C2 communications include:\r\nhxxps[://]akamaitechcloudservices[.]com/v2/storage\r\nhxxps[://]azuredeploystore[.]com/cloud/services\r\nhxxps[://]azureonlinestorage[.]com/azure/storage\r\nhxxps[://]glcloudservice[.]com/v1/console\r\nhxxps[://]msedgepackageinfo[.]com/microsoft-edge\r\nhxxps[://]msedgeupdate[.]net/Windows\r\nhxxps[://]msstorageazure[.]com/window\r\nhxxps[://]msstorageboxes[.]com/office\r\nhxxps[://]officeaddons[.]com/technologies\r\nhxxps[://]officestoragebox[.]com/api/session\r\nhxxps[://]pbxcloudeservices[.]com/phonesystem\r\nhxxps[://]pbxphonenetwork[.]com/voip\r\nhxxps[://]pbxsources[.]com/exchange\r\nhxxps[://]sourceslabs[.]com/downloads\r\nhxxps[://]visualstudiofactory[.]com/workload\r\nhxxps[://]www[.]3cx[.]com/blog/event-trainings/\r\nhxxps[://]zacharryblogs[.]com/feed\r\nFile hashes:\r\nCompromised MSI: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868\r\n3CXDesktopApp.exe: fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405\r\nffmpeg.dll: 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896\r\nd3dcompiler_47.dll: 11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03\r\nThe following file hashes have been reported as related and malicious by the community but not independently\r\nverified by Rapid7 analysts:\r\ndde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc\r\n92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61\r\nhttps://www.rapid7.com/blog/post/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/\r\nPage 3 of 4\n\nb86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb\r\nUpdates\r\nApril 3, 2023: CVE-2023-29059 has been assigned to this issue.\r\nSource: https://www.rapid7.com/blog/post/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/\r\nhttps://www.rapid7.com/blog/post/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.rapid7.com/blog/post/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/"
	],
	"report_names": [
		"backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434643,
	"ts_updated_at": 1775791308,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dbe880ca6939fcdce7196bfc154de6f098202ab1.pdf",
		"text": "https://archive.orkl.eu/dbe880ca6939fcdce7196bfc154de6f098202ab1.txt",
		"img": "https://archive.orkl.eu/dbe880ca6939fcdce7196bfc154de6f098202ab1.jpg"
	}
}