Mandiant described the 3CX compromise as a double supply-chain attack that began with North Korean actors compromising Trading Technologies’ X_Trader software before moving into 3CX. The attackers allegedly signed tainted X_Trader builds with a Trading Technologies certificate in 2021, leaving the compromised software available until August 2022 and later using an infected 3CX employee’s personal computer to steal work credentials. With access to 3CX systems, the actors compromised build servers and inserted a backdoor into Windows and macOS versions of the 3CX VoIP application distributed to customers in March 2023. Security firms attributed the activity to financially motivated North Korean state-sponsored actors, with Kaspersky and ESET specifically connecting it to Lazarus, and follow-on targeting reportedly focused on a smaller subset of victims including cryptocurrency firms.