Security researchers have issued warnings about a digitally signed trojan version of the 3CX VoIP desktop client used to target the company’s customers in a supply chain attack.
The trojan-ridden app seems to be the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from Github and eventually launches a third-stage novel info stealer that’s still being analysed at the time of writing.
3CXDesktopApp is a voice and video conferencing Private Automatic Branch Exchange (PABX) enterprise call routing software developed by 3CX and is used by more than 600,000 companies with nearly 12 million daily users. Companies using 3CX include high-profile brands like American Express, BMW, Mercedes-Benz, Ikea, Coca-Cola and McDonald’s to name a few.
There isn’t much information available on the attack vectors at the moment and 3CX is yet to publicly address the issue. However, according to security researchers at Crowdstrike both the Windows and macOS versions of the app are under attack.
As for who’s responsible, Crowdstrike thinks North Korean state-sponsored hacking group Labyrinth Collima is behind the attack, but Sophos researchers haven’t been able to verify this with high confidence yet.

The supply chain attack kicks off when the malicious MSI installer is downloaded from 3CX’s website or an update is issued to an existing installation. Once installation is complete, two malicious files — ffmpeg.dll and d3dcompiler.dll are extracted and used to perform the next stage of the attack, which involves downloading icon files hosted on Github appended with Base64 data.
The already installed malware then uses this Base64 data to download the final payload on infected devices which is the aforementioned info stealer which collects system information as well as browser data from Chrome, Edge, Brave and Firefox browsers.
Multiple customers in 3CX forums have been complaining about the program getting flagged as insecure since at least March 22. Reports include the program being marked malicious by Sentinalone, Crowdstrike, ESET, Palo Alto Networks and Sonicwall security software.
At the moment, customer reports indicate that these alerts were triggered after installing versions 18.12.407 and 18.12.416 on Windows and versions 18.11.1213 and above on macOS.
In the News: Apple WWDC 2023 is scheduled for June 5