CrowdStrike observed malicious activity from the legitimate signed 3CXDesktopApp softphone binary on Windows and macOS, including beaconing, second-stage payload deployment, and limited hands-on-keyboard activity. CrowdStrike Intelligence assessed suspected nation-state involvement by LABYRINTH CHOLLIMA, tying the intrusion campaign to DPRK-focused tracking without providing additional attribution detail in the excerpt. The activity used 3CXDesktopApp abuse to reach actor-controlled domains such as akamaicontainer[.]com, azuredeploystore[.]com, journalide[.]org, msedgepackageinfo[.]com, pbxsources[.]com, and visualstudiofactory[.]com. The report matters because a trusted commercial application became the initial source of malicious telemetry, requiring defenders to hunt for 3CXDesktopApp presence and historical DNS activity across endpoint environments.