SmoothOperator-Campaign-Trojanizes-3CXDesktopApp_TA2023167.pdf (2 MB)

HivePro’s advisory attributes the SmoothOperator 3CX supply-chain campaign to LABYRINTH CHOLLIMA, listing aliases including HIDDEN COBRA, ZINC, Nickel Academy, and Lazarus Group, and describes worldwide targeting across automotive, food and beverage, hospitality, MSP, and manufacturing sectors. The attack used rigged 3CXDesktopApp installers for affected versions 18.12.407 and 18.12.416, then loaded a sideloaded malicious DLL and encrypted payload embedded in another DLL. The chain retrieved ICO files from GitHub that contained download URIs and ultimately led to ICONIC Stealer/SUDDENICON, with behavior including beaconing, second-stage deployment, and limited hands-on-keyboard manipulation. The source is largely an actionable advisory, providing MITRE ATT&CK categories and representative IOCs such as akamaitechcloudservices[.]com/v2/storage, glcloudservice[.]com/v1/console, pbxsources[.]com/exchange, protonmail addresses, and multiple file hashes.