Kaspersky investigated whether the 3CX supply-chain compromise led only to an infostealer or also to follow-on implants, and found Gopuram backdoor deployments tied to infected 3CXDesktopApp processes. The report says Gopuram infections rose in March 2023 and were specifically observed against cryptocurrency companies, with persistence through malicious DLLs such as wlbsctrl.dll and encrypted shellcode stored under the Windows TxR path. Gopuram’s main module, guard64.dll, connects to C2 and supports file-system interaction, process creation, registry and service manipulation, timestomping, injection, driver-loading support, updates, and partial net-command functionality. Kaspersky attributes the 3CX campaign to Lazarus with medium to high confidence based on Gopuram’s prior coexistence with AppleJeus at a Southeast Asian cryptocurrency company, Lazarus-aligned targeting of cryptocurrency firms, and infrastructure overlap involving wirexpro[.]com.