{ "id": "0ddd93c5-d0ef-41b9-9668-dc7ca7c6949a", "created_at": "2026-04-06T00:12:58.709587Z", "updated_at": "2026-04-10T13:12:00.813392Z", "deleted_at": null, "sha1_hash": "fc7107913e8b8b17dbd0b8ae2fef332591562a02", "title": "Security Update Thursday 20 April 2023 – Initial Intrusion Vector Found", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50562, "plain_text": "Security Update Thursday 20 April 2023 – Initial Intrusion Vector\r\nFound\r\nBy Agathocles Prodromou\r\nPublished: 2023-04-20 · Archived: 2026-04-05 17:52:11 UTC\r\nMandiant identifies the source of internal network compromise\r\nWhile Mandiant’s investigation is still ongoing, we now have a clear overall understanding of the attack.\r\nFollowing our previous update, we would like to share some additional technical details to support our customers\r\nand the community. We have also published additional indicators of compromise that organizations can leverage\r\nfor their network defenses.\r\nInitial Intrusion Vector\r\nMandiant identified the source of our internal network compromise began in 2022 when an employee installed the\r\nTrading Technologies X_TRADER software on the employee’s personal computer. Although the X_TRADER\r\ninstallation software was downloaded from the Trading Technologies website, it contained VEILEDSIGNAL\r\nmalware, which enabled the threat actor (identified as UNC4736) to initially compromise and maintain persistence\r\non the employee’s personal computer.\r\nThe X_TRADER installer (X_TRADER_r7.17.90p608.exe) was digitally signed by a valid code signing\r\ncertificate with the subject of “Trading Technologies International, Inc”. It was hosted on\r\nhxxps://download.tradingtechnologies[.]com. While the X_TRADER software was reportedly retired in 2020 by\r\nTrading Technologies, the software was still available for download on the Trading Technologies website in 2022.\r\nThe code signing certificate used to digitally sign the malicious software was set to expire in October 2022.\r\nFor more technical detail on the X_TRADER software supply chain attack, including YARA Rules for hunting,\r\nplease read Mandiant’s blog at https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise.\r\nLateral Movement\r\nFollowing the initial compromise of the employee’s personal computer using VEILEDSIGNAL malware,\r\nMandiant assesses the threat actor stole the employee's 3CX corporate credentials from his system.\r\nVEILEDSIGNAL is a fully-featured malware that provided the threat actor with administrator-level access and\r\npersistence to the compromised system. The earliest evidence of compromise uncovered within the 3CX corporate\r\nenvironment occurred through the VPN using the employee's corporate credentials two days after the employee's\r\npersonal computer was compromised.\r\nAdditionally, Mandiant identified the use of the Fast Reverse Proxy tool (https://github.com/fatedier/frp) which\r\nthe threat actor used to move laterally within the 3CX environment. The tool was named MsMpEng.exe and\r\nlocated in the C:\\Windows\\System32 directory.\r\nhttps://www.3cx.com/blog/news/mandiant-security-update2/\r\nPage 1 of 3\n\nCI/CD Build Environment Compromise\r\nMandiant’s investigation was able to reconstruct the threat actor’s steps through our environment as they\r\nharvested credentials and moved laterally. Eventually, the threat actor was able to compromise both the Windows\r\nand macOS build environments. On the Windows build environment, the attacker deployed the TAXHAUL\r\nlauncher and COLDCAT downloader which persisted by performing DLL hijacking for the IKEEXT service and\r\nran with LocalSystem privileges. The macOS build server was compromised using a POOLRAT backdoor using\r\nLaunchDaemons as a persistence mechanism.\r\nAttribution\r\nBased on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far, they attribute the\r\nactivity to a threat actor cluster named UNC4736. Mandiant assesses with high confidence that UNC4736 has a\r\nNorth Korean nexus.\r\nIndicators of Compromise\r\nX_TRADER_r7.17.90p608.exe\r\nSHA256: fbc50755913de619fb830fb95882e9703dbfda67dbd0f75bc17eadc9eda61370\r\nSHA1: ced671856bbaef2f1878a2469fb44e9be8c20055\r\nMD5: ef4ab22e565684424b4142b1294f1f4d\r\nSetup.exe\r\nSHA256: 6e11c02485ddd5a3798bf0f77206f2be37487ba04d3119e2d5ce12501178b378\r\nSHA1: 3bda9ca504146ad5558939de9fece0700f57c1c0\r\nMD5: 00a43d64f9b5187a1e1f922b99b09b77\r\nCode signing certificate serial #\r\n9599605970805149948\r\nMsMpEng.exe\r\nSHA256: 24d5dd3006c63d0f46fb33cbc1f576325d4e7e03e3201ff4a3c1ffa604f1b74a\r\nSHA1: d7ba13662fbfb254acaad7ae10ad51e0bd631933\r\nMD5: 19dbffec4e359a198daf4ffca1ab9165\r\nCommand and Control\r\nMandiant identified that malware within the 3CX environment made use of the following additional command and\r\ncontrol infrastructure.\r\nwww.tradingtechnologies[.]com/trading/order-management\r\nGoing Forward\r\nOur priority throughout this incident has been transparency around what we know as well as the actions we’ve\r\ntaken.\r\nhttps://www.3cx.com/blog/news/mandiant-security-update2/\r\nPage 2 of 3\n\nAs we wind down our incident investigation, 3CX has taken this opportunity to continue to strengthen our\r\npolicies, practices, and technology to further protect against future attacks. With that, we’re announcing a 7 Step\r\nSecurity Action Plan. In this plan, we’re committing to actionable steps to harden our defenses. You can read in\r\nmore detail here.\r\nDiscuss this article\r\nSource: https://www.3cx.com/blog/news/mandiant-security-update2/\r\nhttps://www.3cx.com/blog/news/mandiant-security-update2/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.3cx.com/blog/news/mandiant-security-update2/" ], "report_names": [ "mandiant-security-update2" ], "threat_actors": [ { "id": "e265bb3a-eb4c-4999-9b1d-c24a0d05a7f0", "created_at": "2023-12-21T02:00:06.096716Z", "updated_at": "2026-04-10T02:00:03.502439Z", "deleted_at": null, "main_name": "UNC4736", "aliases": [], "source_name": "MISPGALAXY:UNC4736", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434378, "ts_updated_at": 1775826720, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fc7107913e8b8b17dbd0b8ae2fef332591562a02.pdf", "text": "https://archive.orkl.eu/fc7107913e8b8b17dbd0b8ae2fef332591562a02.txt", "img": "https://archive.orkl.eu/fc7107913e8b8b17dbd0b8ae2fef332591562a02.jpg" } }