Todyl tracks the 3CX softphone compromise as a supply-chain attack attributed in the excerpt to LABYRINTH CHOLLIMA, a DPRK-associated actor. The malicious MSI distributed by the vendor contained a vulnerable executable and a malicious ffmpeg.dll that loaded into 3CXDesktopApp.exe, performed reflective DLL injection, and used an embedded key to decrypt later-stage content. The campaign used a GitHub IconStorages repository with Base64 data appended to icon files to retrieve C2 and additional payload information, with later reporting identifying an information-stealing stage that collected browser and system data. Todyl blocked known hashes and network indicators, hunted customer telemetry, and reported no successful callbacks among MXDR customers, but warned that exposed organizations should assess stored browser credentials and possible extortion risk.