3CX DesktopApp compromised by supply chain attack

3CX DesktopApp compromised by supply chain attack

3CX will be releasing an update for the DesktopApp in the next few hours; meanwhile, users are urged to use the PWA Client instead.

Credit: Dreamstime

3CX is working on a software update for its 3CX DesktopApp, after multiple security researchers alerted the company of an active supply chain attack in it. The update will be released in the next few hours; meanwhile the company urges customers to use its PWA (progressive web application) client instead. 

“As many of you have noticed the 3CX DesktopApp has a malware in it. It affects the Windows Electron client for customers running update 7,” Nick Galea, CEO at 3CX said in a security alert on Thursday. As an immediate response, the company advised users to uninstall and reinstall the app. 

3CX is a Voice Over Internet Protocol (VoIP) IPBX software development company. The 3CX DesktopApp allows users to make calls, chat, video conference, and check voicemail using their desktop. The company has over 600,000 customers and 12 million users in 190 countries. BMW, Honda, Ikea, Pepsi, and Toyota are some of its customers. 

Security researchers at Sophos, Crowdstrike, and SentinelOne alerted the company on Wednesday about the ongoing attack. 

Supply chain attacked

Researchers observed malicious activity originating from a trojanised version of the 3CX DesktopApp. “The software is a digitally signed version of the softphone desktop client for Windows and is packaged with a malicious payload,” Sophos said in its blog post. 

The application has been abused by the threat actor to add an installer that communicates with various command-and-control servers, Sophos said. 

The threat actor registered a massive attack infrastructure in February 2022, according to SentinelOne which is tracking the attack under the name SmoothOperator, adding, “but we don’t yet see obvious connections to existing threat clusters.” 

Researchers said it is a chain attack that in its first stage takes advantage of the DLL side-loading technique to load a malicious DLL that’s designed to retrieve an icon file payload. 

“The trojanised 3CXDesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from GitHub and ultimately leads to a 3rd stage infostealer DLL still being analysed as of the time of writing,” SentinelOne said. 

Similarly, Crowdstrike, found that the malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity. 

Sophos notes that the DLL side loading is designed in such a way that the users will not realise any difference while using the application. 

The information stealer can gather system information and sensitive data stored in Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox browsers. 

“PBX software makes an attractive supply chain target for actors; in addition to monitoring an organisation’s communications, actors can modify call routing or broker connections into voice services from the outside,” SentinelOne said. 

Windows version infected

While versions of the application run on Windows, Linux, Android, and MacOS, the company and security researchers SentinelOne and Sophos agree that only the Windows version has been infected. Crowdstrike, on the other hand, claims that the MacOS version has also been infected. 

CrowdStrike also attributes the attack to nation-state threat actor Labyrinth Chollima. Labyrinth Chollima is a prolific North-Korean threat actor known to be a subset of Lazarus group. 

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.



Join key decision-makers within Environmental, Social, and Governance (ESG) that have the power to affect real change and drive sustainable practices. SustainTech will bridge the gap between ambition and tangible action, promoting strategies that attendees can use in their day-to-day operations within their business.

EDGE 2023

EDGE is the leading technology conference for business leaders in Australia and New Zealand, built on the foundations of collaboration, education and advancement.


ARN has celebrated gender diversity and recognised female excellence across the Australian tech channel since first launching WIICTA in 2012, acknowledging the achievements of a talented group of female front runners who have become influential figures across the local industry.

ARN Innovation Awards 2023

Innovation Awards is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in Australia.

Show Comments