SmoothOperator was a 3CXDesktopApp supply-chain compromise in which trojanized signed installers loaded malicious DLLs, retrieved encoded payload data from GitHub-hosted ICO files, and deployed follow-on malware including infostealer functionality against system and browser artifacts. CrowdStrike and other reporting tied the campaign to DPRK-linked LABYRINTH CHOLLIMA activity, while the existing incident attribution to UNC4736 is preserved because the linked evidence does not clearly contradict it.