Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Mandiant Also Links 3CX Supply Chain Attack to North Korean Hackers

3CX has confirmed previous reports that the recently disclosed supply chain attack was likely conducted by North Korean hackers.

Business communication company 3CX on Tuesday confirmed previous reports that the recently disclosed supply chain attack was likely conducted by North Korean hackers.

Google-owned Mandiant is investigating the breach and 3CX has released some information from the security firm’s initial analysis. 

“Based on the Mandiant investigation into the 3CX intrusion and supply chain attack thus far, they attribute the activity to a cluster named UNC4736. Mandiant assesses with high confidence that UNC4736 has a North Korean nexus,” 3CX said.

Mandiant found that the hackers targeted 3CX Windows systems with a piece of malware named Taxhaul (aka TxrLoader). Taxhaul uses DLL sideloading to achieve persistence and reduce the likelihood of detection. The malware is designed to deploy a downloader tracked by Mandiant as Coldcat. 

The macOS backdoor used in the attack, named Simplesea, allows attackers to execute shell commands, and transfer and execute files. This piece of malware is still being checked for links to known malware families. 

3CX has shared YARA rules and indicators of compromise (IoCs) that can be used to detect the malware and connections to the attacker’s infrastructure.  

Kaspersky and CrowdStrike previously reported finding links to North Korean state-sponsored threat actors, specifically to Lazarus or one of its subgroups. 

Advertisement. Scroll to continue reading.

Kaspersky’s own data suggested that the 3CX attack was aimed at cryptocurrency companies, which would not be surprising considering that North Korean hackers have been known to steal large amounts of cryptocurrency, likely to fund Pyongyang’s objectives

The cybersecurity firm saw the deployment of a backdoor named Gopuram on less than 10 devices — mainly belonging to cryptocurrency companies — as part of the 3CX supply chain attack. However, 3CX pointed out that the Coldcat malware analyzed by Mandiant is different from Gopuram. 

3CX is still investigating the incident, but for the time being it appears that the attackers compromised its systems in an effort to push malware to the company’s customers. 3CX has 600,000 customers and the initial malware may have been pushed to many of them, but the more sophisticated secondary payload was only delivered to a small number of victims that presented an interest. 

The initial investigations conducted by several cybersecurity firms indicated that 3CX was likely breached sometime in the fall of 2022, but it’s believed that the operation was still in its initial stages when the intrusion was detected.

In addition to sharing more details about the attack, 3CX has described some of the steps it’s taking to improve the security of its applications.

SecurityWeek has compiled a list of information and tools that can be useful to defenders. Also check out our additional coverage of the 3CX supply chain hack.  

Related: Mandiant Catches Another North Korean Gov Hacker Group

Related: UN Experts: North Korean Hackers Stole Record Virtual Assets

Related: North Korean APT Expands Its Attack Repertoire

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.