On March 29, 2023, security researchers at CrowdStrike and SentinelOne simultaneously disclosed that 3CX — a VoIP software provider used by over 600,000 organizations worldwide — had been compromised in a sophisticated supply chain attack. The 3CX Desktop App, used by an estimated 12 million daily users, was trojanized to deliver information-stealing malware.
What made this attack unprecedented was its origin: it was a supply chain attack caused by another supply chain attack. 3CX was compromised because one of their employees had installed a trojanized version of X_TRADER, a trading software from Trading Technologies. This is the first publicly documented case of one supply chain attack directly leading to another.
The Attack Chain
Stage 1: Trading Technologies Compromise
The attack began in 2022 when North Korean threat actors — specifically the Lazarus Group (also tracked as UNC4736) — compromised the build environment of Trading Technologies, the maker of X_TRADER software.
A trojanized version of X_TRADER was distributed through Trading Technologies' legitimate download site. This compromised installer contained a backdoor that gave the attackers persistent access to any system where it was installed.
Stage 2: 3CX Employee Compromise
A 3CX employee downloaded and installed the trojanized X_TRADER software on their personal computer. Through this foothold, the Lazarus Group obtained the employee's corporate credentials and eventually gained access to 3CX's build environment.
Stage 3: 3CX Build System Compromise
With access to 3CX's build infrastructure, the attackers modified the build process to inject malicious code into the 3CX Desktop App. The compromise was elegant — they didn't modify source code in the repository. Instead, they manipulated the build process to include malicious DLLs:
- ffmpeg.dll: A trojanized version of the legitimate FFmpeg library, modified to read and decrypt data from a companion file
- d3dcompiler_47.dll: A legitimate Microsoft-signed DLL with an encrypted payload appended to it
Stage 4: Malware Distribution
The trojanized 3CX Desktop App was distributed through 3CX's official update mechanism. Because the application was signed with 3CX's legitimate code-signing certificate, it passed all standard verification checks.
Stage 5: Payload Execution
When a user installed or updated to the compromised version, the malware:
- Loaded the trojanized
ffmpeg.dll - Read the encrypted payload from
d3dcompiler_47.dll - Decrypted a list of GitHub URLs from an embedded, encrypted data blob
- Connected to GitHub repositories to download icon files
- Extracted Command & Control (C2) server addresses encoded in the icon files
- Downloaded and executed a final-stage information stealer
The information stealer targeted browser data from Chrome, Edge, Brave, and Firefox — including browsing history, saved credentials, and cookies.
The Technical Sophistication
Several aspects of this attack demonstrated exceptional sophistication:
Legitimate Code-Signing
The trojanized application was signed with 3CX's valid code-signing certificate because it was built by 3CX's actual build system. Traditional signature verification was useless against this attack.
GitHub as C2 Infrastructure
By hosting encoded C2 addresses in GitHub repositories, the attackers leveraged a trusted platform that most organizations allow through their firewalls. The traffic to GitHub looked like normal development activity.
Multi-Stage Payload
The actual malicious functionality was separated across multiple stages and files, making static analysis of any single component appear benign.
Sleep Timers
The malware included a 7-day sleep timer before reaching out to C2 servers. This delay was designed to make correlation between the software installation and network indicators more difficult.
Affected Versions
The compromised versions of the 3CX Desktop App were:
- Windows: Versions 18.12.407 and 18.12.416
- macOS: Versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416
These versions were available on 3CX's official download page and distributed through the auto-update mechanism between approximately March 9 and March 29, 2023.
Detection Timeline
The detection timeline reveals how difficult supply chain attacks are to identify:
- Late 2021 - 2022: Trading Technologies compromised (undetected)
- 2022: 3CX employee installs trojanized X_TRADER
- February 2023: 3CX build environment compromised
- March 9, 2023: Trojanized 3CX Desktop App versions begin distribution
- March 22, 2023: First endpoint detection reports from SentinelOne and CrowdStrike customers flagging suspicious behavior from the 3CX app
- March 29, 2023: Public disclosure by multiple security vendors
- March 30, 2023: 3CX CEO acknowledges the compromise
That's roughly a three-week window between distribution and detection, during which potentially hundreds of thousands of users installed the compromised software.
The Attribution
Multiple security firms and intelligence agencies attributed this attack to the Lazarus Group, a threat actor linked to North Korea's Reconnaissance General Bureau. The attribution was based on:
- Infrastructure overlap with known Lazarus Group operations
- Code similarities with previous Lazarus malware families (specifically the TAXHAUL/SIMPLESEA families)
- Operational patterns consistent with North Korean cyber operations
- The cascading supply chain attack methodology, which had been previously observed in North Korean operations targeting cryptocurrency firms
Impact Assessment
The impact of this attack was massive:
- 600,000+ organizations potentially exposed
- 12 million daily users of the 3CX Desktop App
- Customers included major enterprises across healthcare, hospitality, automotive, and government sectors
- The cryptocurrency industry appeared to be a primary target, consistent with North Korea's pattern of targeting financial institutions for revenue generation
How Safeguard.sh Helps
The 3CX attack demonstrated why traditional security measures are insufficient against supply chain attacks. Safeguard.sh addresses the gaps:
- Build Integrity Verification: Safeguard.sh monitors build processes for unauthorized modifications, detecting when build outputs don't match expected patterns — the kind of tampering used in the 3CX attack.
- Binary Analysis: Safeguard.sh can analyze compiled artifacts for embedded payloads, obfuscated code, and behavioral anomalies that signature-based tools miss.
- SBOM Drift Detection: By comparing SBOMs across builds, Safeguard.sh detects when new, unexpected components appear — like the trojanized DLLs injected into the 3CX build.
- Dependency Chain Monitoring: Safeguard.sh tracks your entire dependency chain, including build tools and development software, helping identify risks from compromised upstream tools like the X_TRADER software that started this cascading attack.
The 3CX incident proved that supply chain attacks can cascade — one compromise leads to another, amplifying the impact exponentially. Defending against this requires visibility not just into your own build process, but into the entire chain of software you depend on.