Home / Threat Intelligence bulletins / 3CX desktop app compromised in supply-chain attack

Update: 3CX supply chain attack linked to prior supply chain compromise – 20th April 2023 


On 20th April 2023 it was discovered that the 3CX software supply chain attack resulted from a prior Trading Technologies software supply chain attack. The initial 3CX compromise was via a ‘trojanised’ software installer of the X_TRADER trading platform.  

The deployment of the X_TRADER installer led to the deployment of a multi-stage modular backdoor, tracked as “VEILEDSIGNAL”, to a 3CX employee’s personal computer. Using VEILEDSIGNAL, the associated threat actors were able to harvest 3CX employees’ credentials and establish persistence on the compromised system.  

Further, the threat actors conducted lateral movement within the 3CX environment via the Fast Reverse Proxy tool (frpc.exe), which was renamed to MsMpEng.exe, a known Microsoft Malware Protection Engine executable.

The adversaries were then reported to have compromised the 3CX Windows and macOS build environments and deploy several strains of malware, such as TAXHAUL launcher, COLDCAT downloader, and POOLRAT backdoor via DLL hijacking.  

Updated Indicators of Compromise 

SHA256 file hashes: 

– 480b8c9df70396f44cdca00fd860fdf38ce1d8493ebeed6fe679dd3fd799b7f6 

– beb775af5196f30e0ee021790a4978ca7a7ac2a7cf970a5a620ffeb89cc60b2c 

– cc36b610705d96dd8a82faf8bce1e1d6197948518318f2332323de3c5d05999d 

– 97b95b4a5461f950e712b82783930cb2a152ec0288c00a977983ca7788342df7 

– 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290 

– fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405 

– e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec 

– b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb 

– 92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61 


SHA1 file hashes: 

– 3bda9ca504146ad5558939de9fece0700f57c1c0 

– ced671856bbaef2f1878a2469fb44e9be8c20055 

– d7ba13662fbfb254acaad7ae10ad51e0bd631933 


MD5 file hashes: 

– 19dbffec4e359a198daf4ffca1ab9165 

– 00a43d64f9b5187a1e1f922b99b09b77 

– ef4ab22e565684424b4142b1294f1f4d 


Email addresses: 

[email protected] 

[email protected] 

[email protected] 

[email protected] 

[email protected] 



– hxxps[://]www[.]3cx[.]com/blog/event-trainings/ 

– hxxps[://]akamaitechcloudservices[.]com/v2/storage 

– hxxps[://]akamaitechcloudservices[.]com/v2/storage 

– hxxps[://]azureonlinestorage[.]com/azure/storage 

– hxxps[://]msedgepackageinfo[.]com/microsoft-edge 

– hxxps[://]glcloudservice[.]com/v1/console 

– hxxps[://]pbxsources[.]com/exchange 

– hxxps[://]msstorageazure[.]com/window 

– hxxps[://]officestoragebox[.]com/api/session 

– hxxps[://]visualstudiofactory[.]com/workload 

– hxxps[://]azuredeploystore[.]com/cloud/services 

– hxxps[://]msstorageboxes[.]com/office 

– hxxps[://]officeaddons[.]com/technologies 

– hxxps[://]sourceslabs[.]com/downloads 

– hxxps[://]zacharryblogs[.]com/feed 

– hxxps[://]pbxcloudeservices[.]com/phonesystem 

– hxxps[://]pbxphonenetwork[.]com/voip 

– hxxps[://]msedgeupdate[.]net/Windows 

Threat Group 

The supply chain attack has been attributed with high confidence to the threat cluster tracked as “UNC4736”, to North Korean threat actors. There is also a realistic possibility that UNC4736 is linked to APT43’s previous clusters, tracked as “UNC3782” and “UNC4469”, due to the overlaps in their infrastructures and DNS resolutions. 

Updated Mitre Methodologies 

Reconnaissance Technique: 

T1589.001– Gather Victim Identity Information: Credentials 

Resource Development: 

T1586 – Compromise Accounts 

Initial Access Technique: 

T1189– Drive-by Compromise 

T1190– Exploit Public-Facing Application 

Execution Technique: 

T1204.002 – User Execution: Malicious File 

Defense Evasion: 

T1574.002– Hijack Execution Flow: DLL Side-Loading 

Collection Technique:  

T1005 – Data from Local System 

Command and Control Technique: 

T1105 – Ingress Tool Transfer 

Impact Technique: 

T1565 – Data Manipulation 

Updated Further Information 

Mandiant Report

3CX Blog

Backdoor deployed via 3CX supply-chain attack (3rd April 2023)


The threat actor group, suspected to be ‘Labyrinth Collima’, that recently compromised 3CX’s VoIP desktop application to distribute information-stealing software to the company’s customers, has also deployed a second-stage backdoor on compromised systems. Investigations have confirmed that the threat actor additionally infected target systems with the modular Gopuram backdoor, malware that North Korea’s Labyrinth Collima group has used in campaigns dating back to 2020.

An updated analysis of the incident has demonstrated that the threat actors may have exploited the Windows vulnerability, tracked as CVE-2013-3900.

Updated Impact

The Gopuram backdoor contains several modules that operators can use to exfiltrate data, interact directly with victim systems, install additional malware, start/stop and delete services. The second-stage payload is dropped by the threat actors for the purposes of cyber espionage. The backdoor implements commands that allow the attackers to interact with the victim’s file system and create processes on the infected machine.

CVE-2013-3900: The WinVerifyTrust function in Microsoft Windows systems does not properly validate PE file digests during Authenticode signature verification. Successful exploitation of this vulnerability allows remote threat actors to execute arbitrary code via a crafted PE file. In the incident reported on, the threat actors have exploited the vulnerability to make it appear that the malicious Dynamic-Link libraries (DLLs) used to drop additional payloads were legitimately signed.

Updated Indicators of Compromise

Gopuram associated file hashes (MD5):

– 9f85a07d4b4abff82ca18d990f062a84
– 96d3bbf4d2cf6bc452b53c67b3f2516a

Gopuram associated file paths:

– C:\Windows\System32\config\TxR\< machine hardware profile GUID >.TxR.0.regtrans-ms
– C:\Windows\system32\catroot2\edb.chk.log

Updated Containment, Mitigations & Remediations

It is strongly recommended that 3CX users uninstall the Electron desktop application from all Windows and MacOS systems and to switch to the progressive web application (PWA) Web Client App. A script for mass uninstalling the application across networks is available on the associated 3CX blog.

To mitigate against the threat of the Gopuram backdoor, it is recommended that the following security practices are followed:

– Ensure that employees are provided basic cyber security hygiene training, as many targeted attacks start with phishing or other social engineering techniques
– Carry out a cyber security audit of networks and remediate any weaknesses discovered in the perimeter or inside the network
– Utilise an effective and monitored endpoint detection and response (EDR) solution, such as Microsoft Defender.

Updated Threat Landscape

The 3CX Phone System has over 12 million daily users and is interacted with by over 600,000 companies worldwide. Moreover, it has been detected that installations of the infected 3CX software are located all over the world, with the highest infection figures observed in Brazil, Germany, Italy and France.

The Gopuram backdoor has been compromised for some time. However, the prevalence of infections notably increased in March 2023, which has since been directly attributed to the 3CX supply chain attack.

From the details available at the time of writing, it is likely that Gopuram is the final payload deployed within the 3CX attack chain. However, this is not absolutely conclusive as it is possible that further details could emerge.

Updated Further Information

3CX Advisory

Target Industry

3CX has listed customer organisations in the following sectors:

– Automotive
– Food & Beverage
– Hospitality
– Managed Information Technology Service Provider (MSP)
– Manufacturing


A ‘trojanised’ rendition of the 3CX Voice Over Internet Protocol (VOIP) desktop client has emerged as targeting customers of the company as a part of a supply-chain attack. The attack is triggered when the MSI installer is downloaded from the 3CX website or an update is applied to an already installed desktop application. The company’s client list includes high-profile organisations such as BMW, Coca-Cola, McDonald’s, Honda, NHS, Toyota, Mercedes-Benz, IKEA and Holliday Inn.

The malicious activity involves beaconing to a threat actor-controlled infrastructure, deployment of second-stage payloads, and hands-on-keyboard activity. The most prevalent post-exploitation activity observed at the time of writing is the spawning of an interactive command shell. When the MSI or update is installed, a malicious ffmpeg.dll and d3dcompiler_47.dll Dynamic-link Library (DLL) files are extracted, which are used to perform the next stage of the attack.

Tis is a rapidly developing situation. Updates will be provided if possible.


This new malware is capable of harvesting target system data and stored credentials from Google Chrome, Microsoft Edge, Brave, and Firefox user profiles.

Vulnerability Detection

Indicators of Compromise (IoCs) have been provided, allowing the relevant threat hunting strategies to be implemented to detect for compromise.

Affected Products

– Windows and macOS versions of the 3CX softphone application.

Containment, Mitigations & Remediations

Due to the emerging nature of this supply-chain attack, it is currently recommended that 3CX software is removed from endpoints, where reasonably possible, until advised by the vendor that future installers and versions are safe to use.

 Indicators of Compromise

Associated domains:

– akamaicontainer[.]com
– msedgepackageinfo[.]com
– akamaitechcloudservices[.]com
– msstorageazure[.]com
– azuredeploystore[.]com
– msstorageboxes[.]com
– azureonlinecloud[.]com
– officeaddons[.]com
– azureonlinestorage[.]com
– officestoragebox[.]com
– dunamistrd[.]com
– pbxcloudeservices[.]com
– glcloudservice[.]com
– pbxphonenetwork[.]com
– qwepoi123098[.]com
– zacharryblogs[.]com
– sbmsa[.]wiki
– pbxsources[.]com
– sourceslabs[.]com
– journalide[.]org
– visualstudiofactory[.]com

Associated file hashes (SHA256):

– dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc – Windows
– fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405 – Windows
– 92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61 – macOS
– b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb – macOS

Associated installer file hashes (SHA256):

– aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 – 3cxdesktopapp-18.12.407.msi
– 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 – 3cxdesktopapp-18.12.416.msi
– 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290 – 3CXDesktopApp-18.11.1213.dmg
– e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec – 3cxdesktopapp-latest.dmg

Associated uniform resource identifiers (URI):

– hxxps://www[.]3cx[.]com/blog/event-trainings/
– hxxps://akamaitechcloudservices[.]com/v2/storage
– hxxps://azureonlinestorage[.]com/azure/storage
– hxxps://msedgepackageinfo[.]com/microsoft-edge
– hxxps://glcloudservice[.]com/v1/console
– hxxps://pbxsources[.]com/exchange
– hxxps://msstorageazure[.]com/window
– hxxps://officestoragebox[.]com/api/session
– hxxps://visualstudiofactory[.]com/workload
– hxxps://azuredeploystore[.]com/cloud/services
– hxxps://msstorageboxes[.]com/office
– hxxps://officeaddons[.]com/technologies
– hxxps://sourceslabs[.]com/downloads
– hxxps://zacharryblogs[.]com/feed
– hxxps://pbxcloudeservices[.]com/phonesystem
– hxxps://pbxphonenetwork[.]com/voip
– hxxps://msedgeupdate[.]net/Windows

Associated URL:

– github[.]com/IconStorages/images

Associated email addresses:

– cliego.garcia@proton[.]me
– philip.je@proton[.]me

Threat Landscape

3CX Private Automatic Branch Exchange (PBX) software is an attractive supply-chain target for threat actors. In addition to monitoring communications of the organisation, attackers can modify call routing or broker connections into voice services.

3CX has a significant portion of the unified-communications market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, 3CX systems have become a prime target. Due to the fact that VOIP systems have become an integral aspect of both personal and business affairs, threat actors will continue to exploit vulnerabilities contained within these products in an attempt to extract the sensitive data.

Threat Group

It is possible that the nation state-backed threat actor group tracked as “Labyrinth Collima”, is responsible for the reported attacks. However, at the time of writing, such an attribution is far from conclusive.

Labyrinth Collima operations are known to overlap with other threat actors. The group is considered to be a subset of the APT37/APT38 cyber-criminal gang, a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.

Mitre Methodologies


TA0001 – Initial Access

Initial access technique:

T1195– Supply Chain Compromise


TA0002 – Execution

Execution technique:

T1059 – Command and Scripting Interpreter


TA0006 – Credential Access

Credential access technique:

T1212– Exploitation for Credential Access

Further Information

CrowdStrike Blog
SentinelOne Blog


Intelligence Terminology Yardstick