The 3CXDesktopApp supply-chain compromise affected Windows and macOS builds of a widely used desktop communications application, with CrowdStrike identifying links between the activity and Lazarus Group. On Windows, the MSI installer executed 3CXDesktopApp.exe, which loaded a malicious ffmpeg.dll that searched for d3dcompiler_47.dll, decrypted an embedded payload using RC4, changed memory permissions, and staged a delayed loader. The loader was described as contacting a GitHub repository to retrieve .ICO files containing encrypted command-and-control strings, with a later payload assessed as a browser data stealer. Telemetry cited in the excerpt associated SmoothOperator infrastructure such as msstorageazure[.]com and akamaitechcloudservices[.]com with activity across multiple countries and sectors, including manufacturing, finance, hospitality, technology, industrial, and manufacturing environments.