Cisco Talos tracked the 3CX Desktop Softphone compromise as a supply-chain attack that abused the legitimate update path to deliver malicious payloads to Windows and macOS users. The Windows infection chain used DLL sideloading, a seven-day sleep routine, and icon files from a removed GitHub repository that contained encrypted command-and-control domains. The macOS variant followed a different path with a hardcoded C2 domain instead of the GitHub-based retrieval mechanism. Talos said the second-stage payloads acted as information stealers that collected system information and recent browsing history, likely to help filter victims while retaining access to selected systems. Infrastructure preparation dated back to early 2022, with later GitHub and domain activity in late 2022 and early 2023.