{ "name": "3CXDesktopApp Intrusion Campaign Prevention", "slug": "3cxdesktopapp-intrusion-campaign-prevention", "description": "A sophisticated supply chain attack compromised the legitimate 3CXDesktopApp softphone application across Windows, macOS, and Linux platforms. The malicious activity involved trojanized signed installers that deployed a compromised ffmpeg.dll binary, establishing HTTPS beacons to attacker-controlled infrastructure and enabling second-stage payload deployment. Analysis revealed the attack utilized specific beacon structures and encryption keys matching infrastructure patterns, with hands-on-keyboard activity observed in targeted cases. The operation affected multiple platforms through signed MSI installers containing malicious components. The attack demonstrated advanced tradecraft through abuse of trusted software distribution channels, requiring immediate removal of affected versions and deployment of behavioral detection capabilities to identify malicious beaconing activity.", "published": "2026-06-22T06:28:53.280000+00:00", "created_at": "2026-06-22T11:30:44.251000+00:00", "modified_at": null, "created_at_opencti": "2026-06-22T11:30:44.251000+00:00", "author": "AlienVault", "confidence": 100, "report_types": [ "threat-report" ], "labels": [ "3cxdesktopapp", "arcfeedloader", "labyrinth chollima", "softphone", "supply chain attack", "trojanized installer", "txrloader" ], "tags": [], "related_entities": { "indicators": [ { "id": "8d6b20ef-3793-4fce-b484-2713301efcbe", "name": "journalide.org" }, { "id": "88162738-7f6d-465a-8fbc-191d2ea7e001", "name": "akamaitechcloudservices.com" }, { "id": "55d75c6e-a476-440e-bf6d-15a5bff452fa", "name": "e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec" }, { "id": "dbd5b09c-5ae3-428c-878c-1da5313ff4a0", "name": "fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405" }, { "id": "18bf858a-38a0-478a-9ba4-7f5514ed280d", "name": "azureonlinestorage.com" }, { "id": "13ea7e43-635a-4638-87de-984f2e6b2aef", "name": "b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb" }, { "id": "7129aeb8-3423-4a09-aecf-9da3c5409cd1", "name": "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868" }, { "id": "47e92c19-ec54-467f-95bd-366d48ba02e1", "name": "dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc" }, { "id": "f4c527a4-b5ee-4ee2-8e43-83a5959992ff", "name": "59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983" }, { "id": "74d69e4f-80c0-40f6-9313-71f871657c20", "name": "officestoragebox.com" }, { "id": "62038a65-ccb4-4b49-b62f-302a6ff4bd86", "name": "92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61" }, { "id": "0aa004ba-ec84-4300-8abf-283ab3732bd3", "name": "msedgepackageinfo.com" }, { "id": "0a2265c6-0ea9-47de-8512-52e090fcc4d5", "name": "7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896" }, { "id": "e04f00a7-d372-4637-bfa2-d8304a1cfb25", "name": "qwepoi123098.com" }, { "id": "08e4c2c6-a28c-4c59-816b-3ba2e3aff8f4", "name": "5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290" }, { "id": "7423960f-b317-4f31-a8da-5e623b06108b", "name": "msstorageboxes.com" }, { "id": "d649b26d-f186-4402-a906-80f92d7e0fca", "name": "visualstudiofactory.com" }, { "id": "f3e7ce0a-4413-4280-870e-cd76ef0513b4", "name": "azuredeploystore.com" }, { "id": "e6db6af4-c851-40d5-b220-a3de26bdb7ab", "name": "glcloudservice.com" }, { "id": "f16a6e5c-9482-4660-b9bb-4b57270d141c", "name": "officeaddons.com" }, { "id": "eae1a724-837b-4ca8-ba2e-a553b914c399", "name": "pbxphonenetwork.com" }, { "id": "acb96145-5460-424f-8c9d-ffaa63e2e77a", "name": "pbxcloudeservices.com" }, { "id": "9d7da76c-7692-44ec-872e-316ff52f6bba", "name": "dunamistrd.com" }, { "id": "3331b779-82e9-4edc-b1bd-cad3ea410b42", "name": "msstorageazure.com" }, { "id": "e47d8241-4000-4e9c-9039-6e3b14212736", "name": "akamaicontainer.com" }, { "id": "3b201e0e-74b2-43e1-9b54-2d0aa1067e83", "name": "sbmsa.wiki" }, { "id": "9d5d5e71-df48-44c8-b6dc-4f046a9ec3f4", "name": "azureonlinecloud.com" }, { "id": "8ac0855e-176f-419a-9dc7-e085b32e1211", "name": "pbxsources.com" }, { "id": "fa3290b3-a5f2-468f-9d28-77ddca81dd34", "name": "zacharryblogs.com" } ], "intrusion_sets": [ { "id": "f84d0d4c-ec28-4155-b729-8e2c337a0d90", "name": "Lazarus Group", "slug": "lazarus-group" } ], "attack_patterns": [ { "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd", "name": "T1036.005" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d", "name": "T1053" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3", "name": "T1090" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "60972cf6-e90b-4600-af3c-13c468391d9c", "name": "T1106" }, { "id": "af9ed2e3-4663-4723-beab-c606ddc312e0", "name": "T1543" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "1d0d9e67-eb8a-439c-a2c7-cab311bb25c4", "name": "T1195.002" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" }, { "id": "fc699aef-8931-4a79-8f79-9651be9abd50", "name": "T1021" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "a7262c61-4567-4a00-8cec-aae6264234a9", "name": "T1218" }, { "id": "ce39cd5d-9e4c-4138-b546-abd68e57f8c2", "name": "T1071.004" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" } ], "malware": [ { "id": "036af546-6e0d-47cd-af22-90c05563554c", "name": "TxRLoader" }, { "id": "7a332af2-5e61-4490-9661-a8a9acfa0582", "name": "ArcfeedLoader" } ], "observables": [ { "id": "c69a1a6b-5dff-47d2-918a-00d61413cd9e", "name": "pbxcloudeservices.com" }, { "id": "8b3b881d-2b5b-4ec6-a318-d102226092ee", "name": "azuredeploystore.com" }, { "id": "4791fef7-0695-481a-b729-82ff35674ad8", "name": "akamaitechcloudservices.com" }, { "id": "3fba8a9c-75f8-46df-89b9-ef944f4edf28", "name": "akamaicontainer.com" }, { "id": "98bb5b58-ee60-45a5-bfe7-745be199d0bd", "name": "glcloudservice.com" }, { "id": "01821ee4-8300-4a4f-a655-48133b42839c", "name": "zacharryblogs.com" }, { "id": "5250ddfe-44e7-470b-aff3-397026402f29", "name": "sbmsa.wiki" }, { "id": "4fd665e5-c790-42ef-acf0-aa3a09752c72", "name": "dunamistrd.com" }, { "id": "57a0d077-8fe6-429e-b415-1b0304be80aa", "name": "azureonlinestorage.com" }, { "id": "8964e48f-e17d-4892-9c77-d5a7119563a2", "name": "visualstudiofactory.com" }, { "id": "e8afa4a1-fe1c-48d3-a7ba-175d1fbee4a1", "name": "msstorageboxes.com" }, { "id": "60c631a7-3f1e-4a3d-b630-e78fcb52d8da", "name": "azureonlinecloud.com" }, { "id": "9d75f516-53c4-4c09-91a7-389b27f35e40", "name": "officestoragebox.com" }, { "id": "75698efd-af73-4caf-aa3c-529dd0948b34", "name": "msstorageazure.com" }, { "id": "8f99ec59-97e3-4caf-8f24-308f5a3af10a", "name": "pbxsources.com" }, { "id": "565ef00d-8e8c-4733-89ff-bb38e4f1dfc1", "name": "msedgepackageinfo.com" }, { "id": "3ec7594a-a853-40a9-b999-6ad9e5dccfda", "name": "journalide.org" }, { "id": "cf3c3f04-9318-4fea-a67b-ac704c7b7d00", "name": "qwepoi123098.com" }, { "id": "8632adbc-7525-4c74-ab56-46c0fe0c03d6", "name": "officeaddons.com" }, { "id": "4ad614a9-355e-4dde-bb0e-87fa371e642c", "name": "pbxphonenetwork.com" } ] }, "external_refs": [ { "id": "2c22dabd-6956-4743-a432-1cea4a1d59b1", "standard_id": "external-reference--2e28287f-a3cb-568e-941c-44dd22150240", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://otx.alienvault.com/pulse/6a38d6259f636193112c9c1c", "hash": null, "external_id": "6a38d6259f636193112c9c1c", "created": "2026-06-22T11:30:36.406Z", "modified": "2026-06-22T11:30:36.406Z", "createdById": null }, { "id": "65d0d494-a3f8-44f5-a48a-40ce9a7f0aa7", "standard_id": "external-reference--e37af6a6-58ad-5b2f-baba-5099ba45ae16", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/?utm_source=Securitylab.ru", "hash": null, "external_id": null, "created": "2026-06-22T11:30:36.441Z", "modified": "2026-06-22T11:30:36.441Z", "createdById": null } ] }