#YARA #SupplyChain #3CXDesktopApp #SmoothOperator #UNC4736 #X_Trader #UNC4469 #UNC3782 #T1082 #T1140 #T1070.004 #T1071.001 #T1195.002 #T1112 #T1083 #T1497 #T1036 #T1027 #T1071 #T1195 #T1497.001 #T1105 #T1055 #T1620 #T1574.002 #T1622 #T1190 #T1588 #T1574 #T1573.002 #T1614 #T1573 #T1608 #T1070 #T1614.001 #T1071.004 #T1012 #T1588.004 #T1565.001 #T1036.001 #T1070.001 #T1608.003 #T1565

Mandiant found that the 3CX Desktop App supply-chain compromise began with an earlier compromised X_TRADER installer from Trading Technologies, making it a cascading software supply-chain attack. The X_TRADER package deployed VEILEDSIGNAL through DLL side-loading, SIGFLIP, and DAVESHELL, while the later 3CX compromise distributed SUDDENICON and ICONICSTEALER and involved Windows and macOS build environment access. Mandiant tracks the 3CX activity as UNC4736, a suspected North Korean nexus cluster, and assesses with moderate confidence that it relates to financially motivated North Korean AppleJeus activity. Supporting evidence includes overlap with prior Google TAG reporting on Trading Technologies compromise, POOLRAT infrastructure using journalide[.]org, older POOLRAT links to CISA-reported AppleJeus activity, and weaker DNS overlap with suspected APT43 clusters.