Sophos X-Ops described a developing 3CX Desktop application supply-chain attack, possibly involving a nation-state-related group, that abused signed Windows softphone packages to communicate with multiple C2 servers. The attack used a DLL sideloading chain with a clean 3CXDesktopApp.exe loader, a d3dcompiler_47.dll containing an appended encrypted payload, and a trojanized ffmpeg.dll that retrieved encoded .ico payloads. Sophos MDR observed malicious activity from customer 3CXDesktopApp installations on March 29, 2023, and noted that public file storage had hosted encoded malware since December 8, 2022. The source provides hunting guidance for known domains such as akamaicontainer.com, azuredeploystore.com, journalide.org, pbxsources.com, and raw.githubusercontent.com/IconStorages/images paths.