threatintel
actor tracker
Named attack · kill-chain walkthrough

3CX Supply Chain Compromise

Lazarus pulls off the first publicly documented cascading software supply-chain compromise

Labyrinth Chollima / Lazarus Group (DPRK)March 22, 2023 (public detection) — 3CX intrusion traced to mid-2022 via the compromised Trading Technologies X_Trader installerHigh confidence

Mandiant attributed the intrusion to UNC4736, a cluster they assess with high confidence is a North Korean state-sponsored threat actor distinct from — but overlapping with — the broader Lazarus Group (MITRE G0032). CrowdStrike tracks the same cluster as Labyrinth Chollima. Kaspersky linked tooling to AppleJeus, a longstanding DPRK financial-targeting cluster. Mandiant's April 20 2023 report established that the 3CX intrusion was itself initiated by a prior supply-chain compromise of Trading Technologies' X_Trader software — making this the first publicly documented cascading software supply-chain attack.

Lazarus operators compromised a 3CX employee's machine by having them install a trojanized build of Trading Technologies' X_Trader software — itself a prior supply-chain compromise. That initial access let operators pivot into 3CX's build environment and inject a backdoor into the signed 3CXDesktopApp Electron installer, which 3CX then distributed through its official update channel to roughly 600,000 customer organisations worldwide. The trojanized app downloaded second-stage URLs hidden inside base64-encoded data appended to ICO files hosted on GitHub, then deployed the IconicStealer infostealer. SentinelOne, CrowdStrike, and Sophos EDRs alerted on March 22 2023. Mandiant's final analysis confirmed the cascading vendor-A-to-vendor-B-to-customers chain — a structural first in publicly documented supply-chain intrusions.

scene 00 / 07
First publicly documentedcascading supply-chain attackX_Trader installerTrading Technologiesdiscontinued 2020 · still downloadablesigned · trojanized · T1195.002VENDOR A — stage-zero compromiseLazarus / UNC4736Labyrinth Chollima · DPRKAppleJeus clusteremployee downloads3CX employeepersonal / dev machinemid-2022 · Mandiant forensicslateral move3CX build environmentWindows + macOS pipelinesffmpeg.dll · libffmpeg.dylib injectedT1554 · T10783CXDesktopApp installersigned · valid 3CX certificateT1195.002 · T1553.002ffmpeg.dllaa124a4b…d3dcompiler_47.dll11be1803…official update channel~600,000 customer organisations · 12M daily usersenergy · fintech selected for hands-on3CXDesktopApp.exe loads ffmpeg.dllDLL search-order hijack → decrypt d3dcompiler_47.dll payload7-day dormancy before beacon · sandbox evasionT1574.001 · T1055 · T1497.003sleep7dGitHub — IconStorages/imagesicon0.ico … iconN.ico · base64 C2 URL appended after valid icon dataraw.githubusercontent.com/IconStorages/images/main/T1027 · T1071.001 · T1102.002 · HTTPS over legitimate CDN.icob64.icob64.icob64IconicStealerbrowser history · profile databroad deployment · triage sweepT1005 · T1539 · T1552.001Gopuram backdoorselective · crypto targetsenergy · fintech · hands-onAppleJeus cluster · Kaspersky GReATMar 22 — SentinelOne · CrowdStrike · Sophos EDR alertMar 29 public · Apr 20 Mandiant cascade confirmed
  1. Phase 01 · Stage Zero: X_Trader CascadeTA0001

    A trojanized Trading Technologies installer gave Lazarus its foothold inside 3CX — the root of the cascade

    • Trading Technologies discontinued X_Trader in 2020, but the installer remained downloadable from the vendor's website. Lazarus compromised TT's distribution infrastructure and trojanized the X_Trader installer with a backdoor prior to the 3CX intrusion.
    • A 3CX employee downloaded and installed the trojanized X_Trader binary on a personal or developer machine sometime in mid-2022, as confirmed by Mandiant's forensic analysis published April 20 2023.
    • X_Trader's Windows installer was signed with a legitimate Trading Technologies code-signing certificate, giving it no visible indicators of compromise to standard endpoint controls.
    • This is the first publicly documented instance of a supply-chain compromise (vendor A — Trading Technologies) being used as the entry point to execute a second supply-chain attack (vendor B — 3CX), creating a cascading effect that ultimately reached 3CX's ~600,000 customer organisations.
    • Mandiant designated the actor as UNC4736; the TT compromise established the beachhead from which operators moved laterally into 3CX corporate systems.
    Techniques
    T1195.002 · Supply Chain Compromise: Software Supply ChainT1566.002 · Phishing: Spearphishing Link
    Sources
  2. Phase 02 · Build Environment CompromiseTA0003

    From one compromised developer machine, operators tunnelled into 3CX's build pipeline

    • Using credentials and access obtained from the trojanized X_Trader installation, operators established persistence and moved laterally within 3CX's corporate network to reach the build and signing environment.
    • 3CX's macOS and Windows build systems were both compromised, enabling the attackers to inject malicious code into two separate products: the Windows Electron app and the macOS Electron app.
    • The operators modified the legitimate 3CXDesktopApp source or build artifacts prior to signing, so that the final installer binaries carried the backdoor while still being signed with 3CX's authentic code-signing certificate.
    • The compromise of the build environment remained undetected for an extended period, allowing multiple trojanized build versions to be produced and distributed through official update channels.
    Techniques
    T1554 · Compromise Host Software BinaryT1078 · Valid AccountsT1570 · Lateral Tool Transfer
    Sources
  3. Phase 03 · Distribution via Official ChannelTA0001

    Signed, trojanized 3CXDesktopApp installers shipped through 3CX's own update infrastructure to 600,000 customer organisations

    • The backdoored 3CXDesktopApp was distributed as an auto-update through 3CX's official update servers — the same channel customers trusted for every prior release. No user interaction beyond accepting a routine update was required.
    • Both the Windows Electron installer (3CXDesktopApp-18.12.416.msi and related builds) and the macOS DMG (3CXDesktopApp-18.11.1213.dmg and related builds) were trojanized. Both carried valid digital signatures.
    • 3CX serves approximately 600,000 customer organisations and 12 million daily users; exposure was global and cross-sector, with confirmed downstream interest in energy and financial services targets.
    • The malicious Windows builds included a trojanized ffmpeg.dll and a file named d3dcompiler_47.dll that stored an encrypted payload. The macOS package included a trojanized libffmpeg.dylib.
    • SentinelOne, CrowdStrike, and Sophos flagged the trojanized app on March 22 2023, the date of public detection. 3CX initially asked customers to uninstall and published a formal advisory March 29 2023.
    Techniques
    T1195.002 · Supply Chain Compromise: Software Supply ChainT1553.002 · Subvert Trust Controls: Code Signing
    Indicators
    3CXDesktopApp-18.12.416.msi — Trojanized Windows installer — one of several affected build versionsffmpeg.dll — Trojanized DLL bundled in the Windows Electron app; used as first-stage loaderd3dcompiler_47.dll — Encrypted second-stage payload carrier, Windowsaa124a4b4d…e9b670 — Trojanized ffmpeg.dll (Windows) — SentinelOne SmoothOperator IOC list11be1803e2…423b03 — d3dcompiler_47.dll payload carrier (Windows) — SentinelOne IOC list
    Sources
  4. Phase 04 · ExecutionTA0002

    The Electron app loaded a trojanized ffmpeg.dll that decrypted and ran a shellcode payload hidden inside d3dcompiler_47.dll

    • When the victim launched 3CXDesktopApp, the legitimate Electron process loaded the trojanized ffmpeg.dll via standard DLL search order. The trojanized DLL contained no immediately visible payload — it read an encrypted blob from d3dcompiler_47.dll.
    • After a 7-day dormancy delay built into the malware (likely to evade sandbox analysis), the shellcode decrypted from d3dcompiler_47.dll was reflectively loaded into memory and executed.
    • The dormancy delay was a deliberate sandbox-evasion mechanism: automated analysis sandboxes typically do not wait 7 days, so the payload never executed in automated detonation environments during the initial distribution window.
    • On macOS, the trojanized libffmpeg.dylib served the equivalent role as a first-stage loader embedded inside the signed DMG package.
    Techniques
    T1574.001 · Hijack Execution Flow: DLL Search Order HijackingT1055 · Process InjectionT1497.003 · Virtualization/Sandbox Evasion: Time Based Evasion
    Sources
  5. Phase 05 · Command & ControlTA0011

    Second-stage C2 URLs were base64-encoded inside ICO files hosted on a GitHub repository, then fetched over HTTPS

    • The shellcode payload reached out to a GitHub repository — `raw.githubusercontent.com/IconStorages/images/main/` — to download a series of ICO (icon) files with names like `icon0.ico`, `icon1.ico`, etc.
    • Each ICO file contained a valid icon image followed by a base64-encoded string appended at the end of the file. The malware parsed this appended data to extract the actual C2 server URL.
    • Using a legitimate file-hosting service (GitHub) over HTTPS made the traffic nearly indistinguishable from normal application traffic and bypassed URL-reputation blocking for GitHub's domain.
    • The technique of hiding data inside ICO files was novel in the context of supply-chain operations; it became a defining characteristic of the 'SmoothOperator' campaign name assigned by SentinelOne.
    • The GitHub repository (`IconStorages/images`) was taken down by GitHub after public disclosure on March 29 2023.
    Techniques
    T1027 · Obfuscated Files or InformationT1071.001 · Application Layer Protocol: Web ProtocolsT1102.002 · Web Service: Bidirectional Communication
    Indicators
    raw.githubusercontent.com/IconStorages/images/main/ — GitHub repo used to host ICO files containing base64-encoded C2 URLs — taken down post-disclosure
    Sources
  6. Phase 06 · CollectionTA0009

    IconicStealer harvested browser history and credentials; Gopuram backdoor enabled hands-on access to selected targets

    • The primary third-stage payload deployed to broad victim sets was IconicStealer (named by Mandiant): an information stealer that collected browser history and data stored in browser profiles from Chromium-based browsers and Firefox.
    • IconicStealer exfiltrated collected data to operator-controlled infrastructure. Its design suggests an initial reconnaissance sweep to triage which victims warranted deeper access.
    • Kaspersky identified a separate, more capable implant — Gopuram — deployed selectively to a small number of targets, specifically cryptocurrency-related businesses. Kaspersky linked Gopuram to the DPRK's AppleJeus cluster based on shared code and infrastructure.
    • Mandiant and others observed selective follow-on hands-on-keyboard activity at a small subset of victims — consistent with the 'spray and select' pattern established by SUNBURST — focused on entities in the energy and financial services sectors.
    • The distinction between broad IconicStealer deployment and selective Gopuram/hands-on deployment mirrors the SolarWinds operational pattern: wide initial reach, narrow manual exploitation.
    Techniques
    T1005 · Data from Local SystemT1539 · Steal Web Session CookieT1552.001 · Unsecured Credentials: Credentials In Files
    Sources
  7. Phase 07 · Detection & AttributionTA0043

    EDR alerts on March 22 triggered public disclosure; Mandiant's forensic trail led back through 3CX to Trading Technologies

    • On March 22 2023 SentinelOne, CrowdStrike, and Sophos EDR products began alerting on anomalous behavior from 3CXDesktopApp.exe — specifically the signed process making network connections to external infrastructure outside normal application behavior.
    • CrowdStrike initially considered and quickly ruled out a false positive due to the binary's valid 3CX certificate, then published a formal advisory March 29 alongside SentinelOne's 'SmoothOperator' write-up.
    • 3CX CEO Nick Galea confirmed the compromise on March 29 2023 and advised customers to uninstall the desktop app pending a clean release. 3CX published a formal incident page the same day.
    • Mandiant's forensic investigation, commissioned by 3CX, traced the intrusion backwards from the 3CX build environment through the employee's machine to the trojanized X_Trader installer — publishing the cascade finding on April 20 2023.
    • Attribution to UNC4736 / Labyrinth Chollima / Lazarus Group was based on overlapping tooling, infrastructure, and code shared with prior DPRK operations including AppleJeus cryptocurrency-targeting campaigns.
    • CISA and partner agencies published joint advisory AA23-158A on June 7 2023 confirming attribution and providing additional defensive guidance.
    Techniques
    T1588.003 · Obtain Capabilities: Code Signing Certificates
    Sources
Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Labyrinth Chollima / Lazarus Group (DPRK)
Capability
  • T1195.002
  • T1566.002
  • T1554
  • T1078
  • T1570
  • +1 more
Infrastructure
  • raw.githubusercontent.com/IconStorages/images/main/
Victim
  • See narrative above
Primary sources