Compromiseseverity: Critical2023-03-29
3CX Desktop App supply-chain compromise
published by Mandiant
Actor
DPRK state-sponsored umbrella set associated with the Reconnaissance General Bureau. Mixes financially-motivated operations (including major cryptocurrency exchange thefts and SWIFT-network bank intr…
Summary
Trojanized installers of 3CX's desktop softphone application were distributed via 3CX's official channels. Multiple vendors attributed the operation to a Lazarus subcluster (UNC4736 / Labyrinth Chollima), with downstream second-stage targeting observed against cryptocurrency-related entities.
Tags
supply-chain3cxcryptocurrency
Primary source
cloud.google.comOther Lazarus Group events
- 2026-04-18Lazarus / TraderTraitor steals $577M from Drift + KelpDAO inside three weeks
- 2025-02-21Lazarus / TraderTraitor executes $1.5B Bybit heist — largest crypto theft in history
- 2024-12-23FBI attributes $308M DMM Bitcoin theft to DPRK TraderTraitor
- 2022-03-29Ronin Network bridge theft (~$620M)
- 2017-05-12WannaCry global ransomware outbreak