627 reports
Volexity attributed the 3CX supply-chain compromise to a suspected North Korean threat actor tracked as UTA0040 and reported that malicious, 3CX-signed updates installed information-stealing malware on affected endpoints. The analysis found both Windows a…
Neo23x0's signature-base excerpt publishes YARA rules for malicious Windows and macOS samples associated with the North Korea-linked 3CX compromise. The rules detect malicious DLLs, decrypted payloads, compromised 3CX-signed binaries, MSI installers, and …
Todyl tracks the 3CX softphone compromise as a supply-chain attack attributed in the excerpt to LABYRINTH CHOLLIMA, a DPRK-associated actor. The malicious MSI distributed by the vendor contained a vulnerable executable and a malicious ffmpeg.dll that load…
Huntress investigated the 3CX DesktopApp compromise as a large supply-chain incident affecting legitimate 3CX updates, with affected Windows versions 18.12.407 and 18.12.416 observed across customer environments. The attack chain used a backdoored ffmpeg.…
Symantec reported that North Korea-linked actors compromised multiple Windows and macOS versions of 3CX DesktopApp in a supply-chain attack that trojanized legitimate installers to deploy information-stealing malware. The malicious installers sideloaded a…
Check Point described the 3CXDesktopApp incident as a supply-chain attack in which a trojanized version of the VoIP desktop client was downloaded by victims and executed a malicious DLL through normal application loading. The infection chain uses DLL side…
Objective-See analyzed the macOS side of the 3CX SmoothOperator supply-chain incident after other reports noted possible macOS trojanization and public commentary attributed the broader activity to Lazarus Group. The source identified a malicious libffmpe…
Sophos X-Ops described a developing 3CX Desktop application supply-chain attack, possibly involving a nation-state-related group, that abused signed Windows softphone packages to communicate with multiple C2 servers. The attack used a DLL sideloading chai…
SentinelOne documented SmoothOperator as an active 3CXDesktopApp supply-chain campaign in which trojanized installers acted as the first stage of a multi-stage attack chain. The malicious application reflectively loaded a DLL, pulled ICO files with append…
CrowdStrike observed malicious activity from the legitimate signed 3CXDesktopApp softphone binary on Windows and macOS, including beaconing, second-stage payload deployment, and limited hands-on-keyboard activity. CrowdStrike Intelligence assessed suspect…
A Korean malware-analysis post attributes DDD.html to Kimsuky and describes it as JavaScript/VBScript malware used in North Korea-linked activity against South Korea-focused targets. The sample hides VBScript logic that creates a WScript.Shell object, att…
Mandiant's podcast page summarizes a discussion of APT43, a North Korea-linked espionage actor publicly named by Mandiant. The available source evidence says the episode focuses on how APT43 targets security policy experts working on North Korea issues in…
ThreatMon analyzes Chinotto, a C++ DLL backdoor linked in the report to North Korea-based APT37/Reaper activity. The sample creates the mutex IUAvx6CHOil92jqFiHCjiPhzDC, configures C2 communication to 172.93.193.158 over /Data/goldll/proc.php, and encodes…
Mandiant assesses with high confidence that APT43 is a moderately sophisticated North Korean cyber operator supporting regime interests through espionage and cybercrime-funded operations. The group targets South Korea, the United States, Japan, and Europe…