Supply Chain Incident
3CX desktop application software supply-chain compromise
Attackers compromised 3CX desktop application builds, causing trojanized installers and updates to reach downstream customers.
Executive Summary
The 3CX incident is modeled as a vendor build compromise that produced trojanized desktop application installers and updates for downstream customers.
Threatpedia keeps the affected desktop application, build pipeline, and signed update channel as separate primitives so the supply-chain path remains inspectable.
Timeline
-
Trojanized desktop application activity precedes disclosure
The corpus records first observed activity before the public disclosure date and models the distribution through signed desktop application channels.
-
Mandiant publishes detailed supply-chain analysis
Mandiant's report is the researcher reference used for the structured build-compromise and signed-update modeling in this record.
Attack Chain
-
Vendor build compromise
The compromise is represented at the 3CX DesktopApp build pipeline rather than as a package-registry event.
-
Signed desktop application distribution
Trojanized artifacts reached users through signed software installer and update paths recorded in the distribution-channel field.
-
Downstream customer exposure
The impact categories include malware distribution, backdoor behavior, and downstream customer compromise through trusted application delivery.
Affected Ecosystem
The affected ecosystem spans Windows, macOS, and vendor-update distribution for the 3CX DesktopApp software component.
Defensive Lessons
Endpoint software delivered by a trusted vendor still needs behavioral monitoring because the compromise can occur before distribution and signing.
Build pipeline, signed installer, and update-channel evidence should be retained separately to support later investigation without collapsing them into one field.
Detection Notes
Useful pivots include 3CX DesktopApp, the vendor build pipeline, signed installer or update activity, and the March-to-April 2023 disclosure window.
Open Questions
The corpus records source-artifact divergence as unknown because this record does not independently compare source state to the distributed desktop artifacts.
Affected Packages
No structured records.
Affected Releases
No structured records.
Repositories
No structured records.
Organizations
Maintainers
No structured records.
Threat Actors
Campaigns
Build Systems
- 3CX DesktopApp build pipeline
Distribution Channels
- Signed software installer/update channel
Compromised Accounts
No structured records.
Connected Entities
- 3CX Organization
- 3CX DesktopApp build pipeline Build System
- Lazarus Group Threat Actor
- Lazarus Group Operation SmoothOperator - 3CX Software Supply Chain Compromise Campaign
- Signed software installer/update channel Distribution Channel
Attribution Evidence
Mandiant's 3CX report supports the Lazarus-associated actor edge through its UNC4736 attribution assessment.
The SmoothOperator campaign node covers the same 3CX software supply-chain compromise represented by this incident.
References
- SmoothOperator: Ongoing Campaign Trojanizes 3CX Software SentinelOne · 2023-03-29
- 3CX Software Supply Chain Compromise Mandiant · 2023-04-20