3CX supply-chain attack (DPRK)

On 29 March 2023, security vendors CrowdStrike and SentinelOne disclosed that the 3CXDesktopApp — a softphone client from the VoIP vendor 3CX, used by a customer base the company puts at over 600,000 organizations — had been trojanized at the source and was distributing malware through a legitimately code-signed update. The campaign, dubbed SmoothOperator, was attributed to North Korea's Lazarus Group and became the first publicly documented cascading software supply-chain compromise.

What happened

Attackers compromised 3CX's build environment and embedded malicious code in the Windows and macOS versions of the 3CXDesktopApp. Because the trojanized installers were signed with 3CX's own legitimate certificate (issued by Sectigo, timestamped by DigiCert), they passed normal trust checks. Affected Windows versions included 18.12.407 and 18.12.416; several macOS builds (18.11.1213, 18.12.402, 18.12.407, 18.12.416) were also infected.

When run, the malware unpacked a multi-stage chain: it beaconed to attacker infrastructure, downloaded ICO files hosting base64-encoded payloads from GitHub, and ultimately delivered an information-stealing DLL. In a smaller number of cases, Kaspersky observed a second-stage backdoor named Gopuram deployed onto victims, with a notable concentration among cryptocurrency firms — consistent with Lazarus's financial-theft mandate.

The cascading supply chain

In April 2023, Mandiant — engaged by 3CX — traced the initial intrusion vector to a separate supply-chain compromise. In 2022, a 3CX employee had installed a trojanized copy of X_TRADER, a futures-trading application from Trading Technologies, on a personal computer. That installer carried the VEILEDSIGNAL backdoor, which gave the threat actor — tracked as UNC4736 — access to the employee's machine and credentials. The attacker then pivoted into 3CX's corporate network via VPN, moved laterally, and reached both the Windows and macOS build environments.

This made 3CX the first publicly documented "cascading" software supply-chain attack: one trojanized software product (X_TRADER) used to compromise the build pipeline of a second software product (3CXDesktopApp), which in turn was distributed to 3CX's downstream customers.

Impact

• 3CX's softphone client is used across a customer base the company cites at over 600,000 organizations, with millions of daily users — the potential blast radius of the trojanized update.
• The number of organizations that received second-stage payloads was far smaller and skewed toward cryptocurrency and financial-trading firms.
• 3CX urged customers to uninstall the desktop app, switch to the browser-based PWA client, and rebuild affected systems; it rebuilt its software pipeline and engaged Mandiant for remediation.
• CVE-2023-29059 was assigned to the embedded malicious code (CWE-506).

Attribution

Mandiant attributed the intrusion to UNC4736, a cluster with strong overlaps to North Korea's Lazarus Group (a.k.a. Hidden Cobra), itself associated with the DPRK Reconnaissance General Bureau and the Operation AppleJeus cryptocurrency-theft campaigns. The targeting of crypto firms and the use of trading-software lures are consistent with Lazarus's long-running financial-theft operations on behalf of the North Korean state.

Why it matters

3CX crystallized the threat of build-system compromise and abused code-signing: defenders' trust in a vendor's signature became the attack vector. It also introduced the cascading supply-chain pattern — a compromise propagating from one software supplier to another and then to end customers — which collapses the assumption that vetting your direct vendor is sufficient. The incident accelerated industry adoption of software bills of materials (SBOMs), build-pipeline integrity controls, and reproducible-build practices, and it reinforced that even signed, trusted updates require behavioral monitoring at the endpoint.