Krebs reported that the 3CX compromise was a nested supply-chain incident: a 3CX employee first installed a trojanized X_TRADER package, after which attackers used the employee's credentials to access 3CX and compromise Windows and macOS build environments. Mandiant attributed the operation to Lazarus, and the compromised 3CX applications later pulled encrypted icon files from GitHub to locate command infrastructure and deliver ICONICSTEALER. The article also connects the activity to Lazarus social-engineering operations using fake LinkedIn recruiter profiles and job-offer lures, including ESET findings on Linux-targeting malware disguised as an HSBC employment document.