Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 28 IOCs • Published within a week
Splunk Insights: Investigating the 3CXDesktopApp Supply Chain Compromise
2023-03-31 • Splunk •
Splunk frames the 3CXDesktopApp incident as a software supply-chain compromise affecting signed desktop client builds and provides defensive hunting guidance for customers investigating endpoint and network telemetry. The described chain begins with affected 3CXDesktopApp MSI versions loading a trojanized ffmpeg.dll, which reads d3dcompiler_47.dll, decrypts RC4-encrypted shellcode with key 3jB(2bsG#c7, and loads a DLL that sleeps, reads the MachineGUID, and fetches .ico files from a GitHub repository. Those icon files contain encoded and encrypted C2 URLs that lead to configuration data and a final x64 browser-stealer DLL. The payload collects host details and targets browser history or SQLite data from Chrome, Firefox, Microsoft Edge, and Brave, making the source most useful for defenders building detections around the 3CX infection chain rather than for broad attribution claims.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | visualstudiofactory.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | akamaitechcloudservices.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msedgepackageinfo.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msstorageazure.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | azureonlinestorage.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | zacharryblogs.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | officestoragebox.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | sourceslabs.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | officeaddons.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | glcloudservice.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | azuredeploystore.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | pbxsources.com | 2023-03-29 | 2024-09-09 |
| DOMAIN | msstorageboxes.com | 2023-03-29 | 2024-09-09 |
| HASH | c485674ee63ec8d4e8fde9800788175… | 2023-03-30 | 2023-04-28 |
| HASH | 7986bbaee8940da11ce089383521ab4… | 2023-03-30 | 2023-04-28 |
| HASH | 11be1803e2e307b647a8a7e02d12833… | 2023-03-30 | 2023-04-28 |
| URL | https://azureonlinestorage.com/… | 2023-03-30 | 2023-04-05 |
| URL | https://akamaitechcloudservices… | 2023-03-30 | 2023-04-05 |
| URL | https://pbxsources.com/exchange | 2023-03-30 | 2023-04-05 |
| URL | https://msstorageboxes.com/offi… | 2023-03-30 | 2023-04-05 |
| URL | https://msedgepackageinfo.com/m… | 2023-03-30 | 2023-04-05 |
| URL | https://azuredeploystore.com/cl… | 2023-03-30 | 2023-04-05 |
| URL | https://glcloudservice.com/v1/c… | 2023-03-30 | 2023-04-05 |
| URL | https://visualstudiofactory.com… | 2023-03-30 | 2023-04-05 |
| URL | https://officeaddons.com/techno… | 2023-03-30 | 2023-04-05 |
| URL | https://sourceslabs.com/downloa… | 2023-03-30 | 2023-04-05 |
| URL | https://msstorageazure.com/wind… | 2023-03-30 | 2023-04-05 |
| URL | https://officestoragebox.com/ap… | 2023-03-30 | 2023-04-05 |
| HASH | 5c54932fdbb077d73c58ac41a1ad3f6… | 2023-03-31 | 2023-03-31 |
| URL | https://zacharryblogs.com/feedh… | 2023-03-31 | 2023-03-31 |
Related Reports
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 28 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 28 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 26 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 25 IOCs • Published within a week
Shares tags: SupplyChain, 3CXDesktopApp, SmoothOperator • Shares 25 IOCs • Published within a week