627 reports
Objective-See analyzes the macOS second-stage UpdateAgent payload from the 3CX supply-chain compromise attributed in the source to North Korean, Lazarus Group activity. The first-stage trojanized libffmpeg.dylib downloaded UpdateAgent into the 3CX Desktop…
The 3CXDesktopApp supply-chain compromise affected Windows and macOS builds of a widely used desktop communications application, with CrowdStrike identifying links between the activity and Lazarus Group. On Windows, the MSI installer executed 3CXDesktopAp…
Splunk frames the 3CXDesktopApp incident as a software supply-chain compromise affecting signed desktop client builds and provides defensive hunting guidance for customers investigating endpoint and network telemetry. The described chain begins with affec…
Group-IB analyzed the 3CXDesktopApp supply-chain compromise in which signed Windows and macOS builds were trojanized and distributed to customers of the VoIP software vendor. The Windows infection chain loads a modified ffmpeg.dll, reads encrypted shellco…
To obtain distinct C&C URLs, the malware randomly selects an ICO file from a GitHub repository. This malware can gather system data and take control of data and login credentials stored in user profiles on various web browsers, including Chrome, Edge, Bra…
KR-CERT advised service operators and users to update INITECH INISAFE CrossWeb EX V3 after INITECH released a fix for vulnerabilities affecting versions 3.3.2.40 and earlier. The notice warns that attackers could exploit unpatched installations but does n…
ReversingLabs found that compromised 3CXDesktopApp updates likely resulted from tampering in the 3CX software build pipeline or a malicious dependency, placing malicious code inside signed VoIP client packages downloaded by customers. The attack modified …
Trend Micro summarized the 3CX Desktop App compromise as a multi-stage attack against the Electron Windows and macOS clients used by 3CX customers worldwide. The compromised MSI starts with benign 3CXDesktopApp.exe loading trojanized ffmpeg.dll, which rea…
OpenAnalysis examined the 3CX supply-chain compromise by unpacking the signed 3CXDesktopApp-18.12.416.msi and tracing how the backdoored client delivered malware. The analysis found that ffmpeg.dll locates d3dcompiler_47.dll, searches for repeated FEEDFAC…
FortiGuard Labs reported CVE-2023-29059 as a trojanized 3CX Desktop App supply-chain compromise affecting Electron-based Windows versions 18.12.407 and 18.12.416 and macOS versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416. The malicious chain uses …
Rapid7 analyzed the 3CXDesktopApp Windows supply-chain compromise after multiple vendors observed malicious activity from a legitimate signed communications application on Windows and macOS. The MSI drops benign 3CXDesktopApp.exe, which loads backdoored f…
Unit 42 described the 3CXDesktopApp incident as a supply-chain compromise in which malicious libraries were included in legitimate Windows MSI and macOS DMG installers downloaded from 3CX. On Windows, 3CXDesktopApp.exe loads ffmpeg.dll, which decrypts she…
Cisco Talos tracked the 3CX Desktop Softphone compromise as a supply-chain attack that abused the legitimate update path to deliver malicious payloads to Windows and macOS users. The Windows infection chain used DLL sideloading, a seven-day sleep routine,…
3CX disclosed that affected Electron Windows and macOS DesktopApp versions included a compromised bundled library that caused antivirus detections for 3CXDesktopApp.exe. The company reported that contacted domains had been reported and largely taken down,…
Upon successfully executing, this shellcode stub writes a new file (manifest) to disk with a timestamp 7 days in the future, used to implement a timer after which the malware connects to the C2 infrastructure. After initially connecting to an active C2 se…