Objective-See analyzes the macOS second-stage UpdateAgent payload from the 3CX supply-chain compromise attributed in the source to North Korean, Lazarus Group activity. The first-stage trojanized libffmpeg.dylib downloaded UpdateAgent into the 3CX Desktop App support directory, made it executable, and launched it. UpdateAgent was an ad hoc signed x86_64 Mach-O with an identifier pattern resembling other Lazarus macOS payloads, including AppleJeus samples. The malware forked and deleted itself, read the 3CX config.json file, and prepared HTTP POST traffic containing 3cx_auth_id and 3cx_auth_token_content to sbmsa.wiki/blog/_insert.