Mandiant traced the 3CX internal compromise to an employee's personal computer after the employee installed a trojanized Trading Technologies X_TRADER package downloaded from the vendor's site. The installer carried VEILEDSIGNAL, which gave UNC4736 administrator-level access and persistence, after which the actor stole 3CX corporate credentials and accessed the company VPN two days later. Inside 3CX, the actor used Fast Reverse Proxy disguised as MsMpEng.exe for lateral movement, then compromised Windows and macOS build environments with TAXHAUL, COLDCAT, and POOLRAT. Mandiant assessed with high confidence that UNC4736 has a North Korean nexus, making the incident notable as a supply chain compromise that enabled a second software supply chain attack.