AhnLab describes the 3CX DesktopApp supply-chain compromise reported by CrowdStrike as activity by a North Korea-based actor and shows that Korean victims installed affected Windows versions before public disclosure, including logs from a domestic university. The malicious Windows installer loaded a trojanized ffmpeg.dll, decrypted data appended to d3dcompiler_47.dll, and ran downloader shellcode that fetched icon files from a GitHub repository before decoding C2 URLs used to retrieve additional malware, reportedly including an infostealer. The report also covers macOS DMG samples whose libffmpeg.dylib stored XOR-encoded C2 addresses. Representative infrastructure included raw.githubusercontent.com/IconStorages/images and domains such as msstorageazure.com, officestoragebox.com, and visualstudiofactory.com.