Mac-ing-sense-of-the-3CX-supply-chain-attack-analysis-of-the-macOS_9ZmzAbw.pdf (1 MB)

The 3CX compromise is presented as a chained supply-chain attack in which a trojanized Trading Technologies X_TRADER installer first infected a 3CX employee’s personal machine. Mandiant attributed the activity to a suspected North Korean actor tracked as UNC4736 and found that the attackers harvested credentials, moved laterally through 3CX, and compromised both Windows and macOS build environments. The macOS build server was reportedly infected with the POOLRAT backdoor using LaunchDaemons for persistence before malicious components were slipstreamed into signed and notarized 3CX macOS installers. Objective-See’s analysis focuses on the macOS implant, the malicious library delivered through the trojanized installer, and a self-deleting second-stage payload, while also noting POOLRAT detection artifacts including YARA strings and MD5 references. The case matters because it shows how one trusted software supply chain was used to compromise another, extending impact to enterprise macOS users.