SentinelOne documented SmoothOperator as an active 3CXDesktopApp supply-chain campaign in which trojanized installers acted as the first stage of a multi-stage attack chain. The malicious application reflectively loaded a DLL, pulled ICO files with appended Base64 data from the GitHub repository github.com/IconStorages/images, and used that data to retrieve a further stage. SentinelOne reported that the final stage hash cad1120d91b812acafef7175f949dd1b09c6c21a implemented infostealer functionality against system data and Chrome, Edge, Brave, and Firefox browser artifacts. The source explicitly said the actor’s infrastructure had been registered as early as February 2022 but that SentinelOne did not yet see obvious connections to existing threat clusters, so the summary should not overstate attribution.