Connect with us

Hi, what are you looking for?


Malware & Threats

3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component 

3CX confirms investigating a security breach as the cybersecurity community is sharing more information on what appears to be a sophisticated supply chain attack.

3CX supply chain attack

Business communication solutions provider 3CX has confirmed that it’s investigating a security breach, as the cybersecurity community is sharing more information on what appears to be a sophisticated supply chain attack. 

The attack seems to impact 3CXDesktopApp, an enterprise voice and video conferencing software. 3CX claims on its website that its products are used by more than 600,000 companies, including major brands such as Coca Cola, Ikea, PwC and several carmakers, airlines and hotel chains. 

The incident came to light after 3CX customers started complaining on the company’s forum that various cybersecurity products had started flagging and even removing the 3CXDesktopApp software due to suspicious behavior. 

It was initially suggested that the detections were false positives, but several cybersecurity firms confirmed on Wednesday that the 3CX product was indeed compromised.

An analysis of the attack and indicators of compromise (IoCs) were published by CrowdStrike, SentinelOne and Sophos. At this point in the investigation, evidence collected by CrowdStrike suggests that North Korean threat actor Labyrinth Chollima, a subgroup of the notorious Lazarus Group, is behind the hack.  

The attack, dubbed Smooth Operator by SentinelOne, involved the delivery of trojanized 3CXDesktopApp installers. The malware is signed with a code signing certificate and its goal appears to be the deployment of an information stealer.

This multi-stage supply chain attack also involved pulling files from a GitHub repository that has since been shut down. 

Advertisement. Scroll to continue reading.

3CX published a security alert late on Wednesday, informing customers and partners that it has launched an investigation into a ‘security issue’ related to its Electron Windows App shipped in Update 7, specifically version numbers 18.12.407 and 18.12.416. 

“The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT,” said Pierre Jourdan, CISO at 3CX. 

“Worth mentioning – this appears to have been a targeted attack from an Advanced Persistent Threat, perhaps even state sponsored, that ran a complex supply chain attack and picked who would be downloading the next stages of their malware. The vast majority of systems, although they had the files dormant, were in fact never infected,” the CISO added. 

The company has instructed customers to uninstall the affected application and use the PWA client until a new Windows app is developed. Jourdan claimed that the shutdown of the GitHub repository used by the attackers has rendered the compromised library harmless. 

[ Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions ]

3CX’s statement focuses on the Windows application and SentinelOne also said it could not confirm that the Mac installer is also trojanized. However, CrowdStrike said it had seen activity on both Windows and macOS systems. 

CrowdStrike has shared a sample with Apple security expert Patrick Wardle, whose analysis confirmed that a trojanized macOS application was also used in the Smooth Operator attack.

The researcher found that the malware had been notarized by Apple — which indicates that the tech giant checked it for malicious elements and failed to find any. However, during Wardle’s analysis, Apple apparently took action and users are now being warned before installing the trojanized app. 

The Mac application is nearly 400 Mb in size, which made it more difficult to analyze, but Wardle was able to confirm suspicious behavior. The malware is apparently designed to download a second-stage payload, but the researcher could not obtain a copy of that payload for analysis.  

Wardle has also shared IoCs to help defenders detect the macOS variant of the malware. 

Related: Over 250 US News Websites Deliver Malware via Supply Chain Attack

Related: Hundreds Infected With ‘Wasp’ Stealer in Ongoing Supply Chain Attack

Related: Iranian Hackers Deliver New ‘Fantasy’ Wiper to Diamond Industry via Supply Chain Attack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.