Connect with us

Hi, what are you looking for?


Supply Chain Security

Cascading Supply Chain Attack: 3CX Hacked After Employee Downloaded Trojanized App

3CX hack is the first known cascading supply chain attack, with the breach starting after an employee downloaded compromised software from a different firm.

3CX supply chain attack

More information was made available on Thursday about the recent 3CX hack, and it turns out that the incident was what cybersecurity experts are calling a cascading software supply chain attack. 

The hack came to light in late March, after 3CX customers started complaining that various cybersecurity products had been triggering warnings for the company’s software.

An investigation revealed that hackers had compromised 3CX’s Windows and macOS build environments and used their access to push trojanized software to the company’s customers. 

Mandiant, which helped 3CX investigate the breach, found that the business communication company’s systems were penetrated after an employee downloaded on their personal computer a trojanized installer for the X_Trader trading software from Trading Technologies. 

The X_Trader application was retired in 2020, but it was still available on the company’s website. The malicious version, which the employee downloaded sometime in 2022, was signed with a certificate that was valid until October 2022. 

The malicious X_Trader app delivered a malware named VeiledSignal, which gave the attackers administrator-level access to the 3CX employee’s device. The attackers were able to obtain corporate credentials belonging to the employee, which gave them access to 3CX systems.

Once inside 3CX’s network, they harvested credentials, moved laterally, and deployed other malware to compromise Windows and macOS build environments. This later allowed them to push malware to 3CX customers. 

Advertisement. Scroll to continue reading.

The other malware families involved in the attack are tracked by Mandiant as TaxHaul, ColdCat, PoolRat, and IconicStealer. IconicStealer is a third-stage payload that was served to some 3CX customers, allowing the hackers to steal browser data. CISA has published a malware analysis report for IconicStealer.

Cybersecurity companies reported shortly after the incident came to light that the attack was likely conducted by North Korean threat actors, specifically ones whose goal is to make a profit by targeting cryptocurrency firms.

Mandiant has confirmed that a North Korean threat actor, one that it tracks as UNC4736, which appears to be linked to the financially motivated operation dubbed AppleJeus, is behind the attack. 

Interestingly, Google reported in March 2022 that the Trading Technologies website had been compromised by North Korean threat actors as part of operation AppleJeus and set up to serve malware. 

It’s unclear exactly when 3CX’s systems became compromised. Earlier third-party reports estimated that the breach occurred sometime in the fall of 2022, but the new information suggests that it may have been much earlier.

Google’s security researchers saw the Trading Technologies website serving malware in February 2022, and 3CX said that the first unauthorized access to its network, via a VPN, occurred two days after the employee’s credentials were obtained by the hackers. 

“Cascading software supply chain compromises demonstrate that North Korean operators can exploit network access in creative ways to develop and distribute malware, and move between target networks while conducting operations aligned with North Korea’s interests.,” Mandiant said.

Both Mandiant and 3CX have made available additional indicators of compromise (IoCs) that were uncovered during the investigation. 

SecurityWeek has compiled a list of information and tools that can be useful to defenders. Also check out our additional coverage of the 3CX supply chain hack.  

Related: Mandiant Catches Another North Korean Gov Hacker Group

Related: UN Experts: North Korean Hackers Stole Record Virtual Assets

Related: North Korean APT Expands Its Attack Repertoire

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Supply Chain Security

Oracle's Critical Patch Update for January 2023 includes 327 patches, with more than 70 that address critical-severity vulnerabilities.

Supply Chain Security

Endor Labs has introduced an OWASP-style listing of the most important or impactful risks inherent in the use of open source software (OSS).

Supply Chain Security

A new report found that 98% of organizations have a relationship with a third party that has been breached, while more than 50% have...

Cybersecurity Funding

Software supply chain security management startup Lineaje raises $7 million in a seed funding round led by Tenable Ventures.

Application Security

Enterprise communication and collaboration platform Slack has informed customers that hackers have stolen some of its private source code repositories, but claims impact is...