OpenAnalysis examined the 3CX supply-chain compromise by unpacking the signed 3CXDesktopApp-18.12.416.msi and tracing how the backdoored client delivered malware. The analysis found that ffmpeg.dll locates d3dcompiler_47.dll, searches for repeated FEEDFACE markers, decrypts appended data with RC4, and executes shellcode plus an embedded PE payload in memory. The malware creates a manifest file to enforce a delayed execution window, reads the MachineGuid value, and builds requests to the IconStorages GitHub repository for numbered icon files. Appended data in the icons is base64-decoded and decrypted to reveal stage-two C2 URLs such as pbxsources[.]com/exchange, although the source did not recover stage three.