threatintel
actor tracker
Lazarus Group
Compromiseseverity: Critical2023-03-29

3CX Desktop App supply-chain compromise

published by Mandiant
Actor
Lazarus GroupKP · DPRKAPT

DPRK state-sponsored umbrella set associated with the Reconnaissance General Bureau. Mixes financially-motivated operations (including major cryptocurrency exchange thefts and SWIFT-network bank intr…

Summary

Trojanized installers of 3CX's desktop softphone application were distributed via 3CX's official channels. Multiple vendors attributed the operation to a Lazarus subcluster (UNC4736 / Labyrinth Chollima), with downstream second-stage targeting observed against cryptocurrency-related entities.

Tags

supply-chain3cxcryptocurrency

Primary source

cloud.google.com

Other Lazarus Group events