3CX

#SmoothOperator • 2023-03

🇺🇸 United States

#Technology #SupplyChain

SmoothOperator was a 3CXDesktopApp supply-chain compromise in which trojanized signed installers loaded malicious DLLs, retrieved encoded payload data from GitHub-hosted ICO files, and deployed follow-on malware including infostealer functionality against system and browser artifacts. CrowdStrike and other reporting tied the campaign to DPRK-linked LABYRINTH CHOLLIMA activity, while the existing incident attribution to UNC4736 is preserved because the linked evidence does not clearly contradict it.

50

Related Reports
1

Affected Countries
39

Months Since

Related Actors

UNC4736

Mandiant

Security Update Mandiant Initial Results

Associated with: Apple Jeus

First seen: 2023-04 • Last seen: 2026-05

Related Reports

2023-04-20

Mandiant

3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible

#YARA #SupplyChain #3CXDesktopApp #SmoothOperator #UNC4736 #X_Trader #UNC4469 #UNC3782 #T1082 #T1140 #T1070.004 #T1071.001 #T1195.002 #T1112 #T1083 #T1497 #T1036 #T1027 #T1071 #T1195 #T1497.001 #T1105 #T1055 #T1620 #T1574.002 #T1622 #T1190 #T1588 #T1574 #T1573.002 #T1614 #T1573 #T1608 #T1070 #T1614.001 #T1071.004 #T1012 #T1588.004 #T1565.001 #T1036.001 #T1070.001 #T1608.003 #T1565

2023-04-20

ESET

Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack

#DreamJob #YARA #3CXDesktopApp #SmoothOperator #T1090 #T1140 #T1585.003 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1083 #T1204.002 #T1566.002 #T1132.001 #T1573.001 #T1497.003 #T1593.001 #T1584.001 #T1134.002 #T1027.009 #T1562.003 #T1546.004

2023-04-14

Attack IQ

Response to Lazarus' 3CX Supply Chain Compromise

#SupplyChain #3CXDesktopApp #SmoothOperator #T1082 #T1071.001 #T1057 #T1105 #T1055 #T1620 #T1049 #T1087.001 #T1070.006 #T1574.001 #T1543.003 #T1012 #T1069.001 #T1016.001 #T1547.002

2023-04-11

3CX

Security Update Mandiant Initial Results

#YARA #SupplyChain #3CXDesktopApp #SmoothOperator #UNC4736 #TAXHAUL

2023-04-05

struppigel

3CX SmoothOperator Authenticode Abuse

#Youtube #SupplyChain #3CXDesktopApp #SmoothOperator

2023-04-05

Ahnlab

3CX DesktopApp 공급망 공격, 국내에서도 확인

#SupplyChain #3CXDesktopApp #SmoothOperator

2023-04-03

struppigel

3CX SmoothOperator ffmpeg.dll with Binary Ninja

#Youtube #SupplyChain #3CXDesktopApp #SmoothOperator

2023-04-03

Kaspersky

Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack

#SupplyChain #3CXDesktopApp #SmoothOperator #Gopuram

2023-04-03

Threat Radar

3CX In The Wild

#SupplyChain #3CXDesktopApp #SmoothOperator

2023-04-03

Hive Pro

SmoothOperator Campaign Trojanizes 3CXDesktopApp

#SupplyChain #3CXDesktopApp #SmoothOperator #T1071 #T1547.001 #T1059 #T1543 #T1574.002 #T1574 #T1547 #T1056 #T1543.003 #T1091

2023-04-03

piyokango