3CX Supply Chain: How Lazarus Chained Two Software Vendors in One Campaign

Incident summary

3CX is a softphone and unified communications vendor with more than 600,000 customer organizations and 12 million daily users per its own April 2023 statements. On March 29, 2023, Volexity, CrowdStrike, and SentinelOne separately reported malicious activity originating from the signed 3CXDesktopApp installer. 3CX confirmed the compromise on March 30, 2023.

Mandiant's April 20, 2023 final report disclosed that the 3CX intrusion did not begin with 3CX. The threat actor first compromised Trading Technologies, a Chicago-based trading software firm, and trojanized its X_TRADER 7.x installer. A 3CX employee installed X_TRADER on a personal device used for both personal trading and work, which gave the actor entry to that employee's credentials and ultimately to the 3CX build environment.

Mandiant attributed both the X_TRADER and 3CX compromises to UNC4736, which it associates with North Korea's Lazarus Group. CrowdStrike tracks the same activity as Labyrinth Chollima. Per Mandiant's analysis, this is the first publicly documented case of one supply chain compromise being used to seed a downstream supply chain compromise.

Attack technique

MITRE ATT&CK maps the campaign primarily to T1195.002 (Supply Chain Compromise: Compromise Software Supply Chain) at both the X_TRADER and 3CXDesktopApp stages. Lazarus modified the 3CXDesktopApp build to ship a malicious sideloaded DLL (ffmpeg.dll) that decoded a second-stage payload from steganographically encoded ICO files hosted in a public GitHub repository.

Affected 3CXDesktopApp versions were 18.12.407 and 18.12.416 on Windows, and 18.11.1213 on macOS. The Windows installer was code-signed with a valid 3CX certificate. Mandiant documented two follow-on payloads: the TAXHAUL loader on most infected hosts, used for reconnaissance, and the ICONIC stealer deployed selectively on cryptocurrency-firm hosts to steal browser cookies and credentials.

Mandiant's investigation identified that the X_TRADER product was technically end-of-life by Trading Technologies in April 2020, but the trojanized installer remained available for download from the Trading Technologies website until early 2022. The 3CX employee who became the entry vector installed X_TRADER on a personal computer used to access 3CX corporate resources, illustrating how blended personal-corporate device use becomes a supply chain liability.

Impact and consequences

Mandiant and CrowdStrike both reported that the second-stage payload was selectively deployed only to cryptocurrency firms among the broad 600,000+ 3CX install base. Volexity documented the ICONIC payload at multiple cryptocurrency exchanges and trading firms. The narrow second-stage targeting matches Lazarus tradecraft optimized for cryptocurrency theft to fund the North Korean state.

3CX engaged Mandiant for the full incident response and published the Mandiant attribution publicly. The company rebuilt its build pipeline with Mandiant guidance. 3CX did not publicly disclose specific customer impact or financial figures.

The incident reinforced the SolarWinds-era Executive Order 14028 SBOM requirements and added empirical weight to the case for build environment hardening. NIST's SSDF (SP 800-218) was already in publication, but the 3CX incident gave practitioners a fresh reference for upstream-supplier risk that extends two hops up the supply chain.

Indicators of Compromise

Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.

Lessons for defenders

Map your supply chain at least two hops upstream. 3CX's customers had a vendor security questionnaire from 3CX. Few of those customers had any visibility into the software 3CX employees used on personal devices. Two-hop visibility, supported by SBOM analysis and vendor build environment attestations, is becoming the new floor.

End-of-life software remains exploitable when it stays installable. Trading Technologies marked X_TRADER end-of-life in 2020 but kept the installer available for download. EoL inventory and removal of installers from public download is a low-cost control that closes a long tail of risk.

Personal device use for corporate work is a supply chain control, not just an endpoint posture issue. The 3CX entry vector was a personal computer running both personal trading software and corporate authentication. Bring-your-own-device policies that allow privileged corporate access on unmanaged devices import upstream supply chain risk by definition.

Code signing certificates do not validate code. The 3CXDesktopApp installers were signed with a valid 3CX certificate. EDR products that trust signed binaries from known publishers passed the malicious DLL through. Behavior-based detection that looks for unusual outbound connections from desktop apps catches this pattern even with valid signatures.

Build environment isolation is a tier-zero requirement. 3CX's build pipeline was reachable via a developer's compromised credentials. Isolated build infrastructure, hardware-backed signing keys held only by build systems, and reproducible builds limit the blast radius of a developer credential compromise.

Related career roles

The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.

• /cybersecurity/careers/threat-intelligence-analyst
• /cybersecurity/careers/incident-responder
• /cybersecurity/careers/malware-analyst

Related Decipher Files

• SolarWinds Sunburst: How Supply Chain Compromise Bypassed Every Endpoint Defense
• MOVEit Cl0p Cascade: How One Zero-Day Compromised Federal Agencies and Fortune 500

Frequently asked questions