1. Home
  2. Campaigns
  3. 3CX Supply Chain Attack

3CX Supply Chain Attack

The 3CX Supply Chain Attack was the first publicly reported case of one supply chain compromise triggering another, leading to a cascading, two-stage intrusion. The initial supply chain attack began when a 3CX employee downloaded and executed a trojanized, end-of-life version of the X_Trader trading software from Trading Technologies. This provided UNC4736, a threat cluster associated with AppleJeus, access to the 3CX environment. From there UNC4736 compromised the Windows and macOS build environments used to distribute the 3CX desktop application to their customers.[1] While 3CX serves more than 600,000 customers and 12 million users, only a subset of systems were affected. Subsequent targeting focused on victims in the defense and cryptocurrency sectors, where attackers deployed secondary payloads such as Gopuram for credential theft and persistence.[2] The campaign began in late 2022 and was disrupted after security vendors publicly reported the compromise in March 2023.[3][4]

ID: C0057
First Seen:  November 2022 [1]
Last Seen:  March 2023 [3]
Contributors: Austin Larsen and the Google Threat Intelligence Group; Michael “Barni” Barnhart, DTEX
Version: 1.0
Created: 25 August 2025
Last Modified: 23 October 2025
Version Permalink

Groups

ID Name Description
G1049 AppleJeus

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

During the 3CX Supply Chain Attack, AppleJeus's COLDCAT C2 leverages cookie headers to contain data over HTTPS. Cookies also contain hardcoded variables __tutma or __tutmc in the payload's HTTPS request.[1][5]
Enterprise T1217 Browser Information Discovery

During the 3CX Supply Chain Attack, AppleJeus leveraged ICONICSTEALER to steal browser information to include browser history located on the infected host.[6][1][7]
Enterprise T1543 .004 Create or Modify System Process: Launch Daemon

During the 3CX Supply Chain Attack, AppleJeus installs a Launch Daemon to execute the POOLRAT macOS backdoor software.[1]
Enterprise T1678 Delay Execution

During the 3CX Supply Chain Attack, AppleJeus's software generates a randomly selected date that is between 1-4 weeks in the future. This timestamp is then checked against the current time of the compromised machine, and the malware will sleep until that time is encountered.[5]
Enterprise T1189 Drive-by Compromise

During the 3CX Supply Chain Attack, AppleJeus compromised the www.tradingtechnologies[.]com website hosting a hidden IFRAME to exploit visitors, two months before the site was known to deliver a compromised version of the X_TRADER software package.[1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

During the 3CX Supply Chain Attack, AppleJeus's VEILEDSIGNAL communication module supports three commands to conduct the following actions: send implant data, execute shellcode, and terminate itself.[1]
Enterprise T1546 .016 Event Triggered Execution: Installer Packages

During the 3CX Supply Chain Attack, AppleJeus added a malicious .dylib file to a .dmg installer package for the macOS 3CX application.[5]
Enterprise T1203 Exploitation for Client Execution

During the 3CX Supply Chain Attack, AppleJeus leveraged the Chrome vulnerability, CVE-2022-0609, in combination with a Drive-by Compromise website.[1]
Enterprise T1574 .001 Hijack Execution Flow: DLL

During the 3CX Supply Chain Attack, AppleJeus splits functionally across multiple .dll files using export functions, such as DLLGetClassObject, to execute code from an embedded .dll file within another .dll file. AppleJeus has also used DLL search order hijacking via the IKEEXT service, running with LocalSystem privileges, to load the TAXHAUL DLL for persistence.[5][1]
Enterprise T1559 Inter-Process Communication

During the 3CX Supply Chain Attack, AppleJeus's VEILEDSIGNAL creates and listens on a Windows named pipe to exchange messages between modules.[1]
Enterprise T1027 Obfuscated Files or Information

During the 3CX Supply Chain Attack, AppleJeus payloads use AES-256 GCM cipher to encrypt data to include ICONICSTEALER and VEILEDSIGNAL.[6][1]
.009 Embedded Payloads

During the 3CX Supply Chain Attack, AppleJeus uses embedded .dll as apart of a chained delivery mechanism to invoke the COM class factory.[5]
.013 Encrypted/Encoded File

During the 3CX Supply Chain Attack, AppleJeus encrypts its dynamic library files (.dll) using RC4, and when loaded only decrypts specific portions of the file using the key 3jB(2bsG#@c7.[5]
Enterprise T1055 Process Injection

During the 3CX Supply Chain Attack, AppleJeus's VEILEDSIGNAL uses process injection to inject the C2 communication module code in the first found process instance of Chrome, Firefox, or Edge web browsers. It also monitors the established named pipe and re-injects the C2 communication module if necessary.[1]
.002 Portable Executable Injection

During the 3CX Supply Chain Attack, AppleJeus uses the SigFlip tool to inject arbitrary code without affecting or breaking the file's signature.[8][1]
Enterprise T1620 Reflective Code Loading

During the 3CX Supply Chain Attack, AppleJeus leverages the publicly available open-source project DAVESHELL to convert PE-COFF files to position-independent code to reflectively load the payload into memory.[1][9]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Although the X_TRADER platform was reportedly discontinued in 2020, it was still available for download from the legitimate Trading Technologies website in 2022. During the 3CX Supply Chain Attack, AppleJeus used a code signing certificate to digitally sign the malicious software with an expiration date set to October 2022. This file was signed with the subject "Trading Technologies International, Inc" and contained the executable file Setup.exe, also signed with the same digital certificate.[1][3]
Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

During the 3CX Supply Chain Attack, AppleJeus first compromised an "end-of-life" trading software application which was downloaded and executed inside the 3CX enterprise environment. The second compromise modified the Windows and macOS build environments used to distribute the 3CX software to their customer base.[1]
Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

During the 3CX Supply Chain Attack, AppleJeus delivered components using a Windows Installer package (.msi). The MSI installer extracted several files and executed the 3CXDesktopApp.exe, which loaded the malicious library file ffmpeg.dll.[5]
.015 System Binary Proxy Execution: Electron Applications

During the 3CX Supply Chain Attack, AppleJeus leveraged the 3CX application's electron framework to execute its malicious libraries under the official 3CX electron application.[5]
Enterprise T1078 Valid Accounts

During 3CX Supply Chain Attack, AppleJeus has gained access to the 3CX corporate environment through legitimate VPN credentials.[3]
Enterprise T1102 .001 Web Service: Dead Drop Resolver

During the 3CX Supply Chain Attack, AppleJeus leveraged a GitHub repository to host icon files containing the command and control URL.[5][1]

Software

ID Name Description
S1144 FRP

During the 3CX Supply Chain Attack, AppleJeus used a compiled version of the publicly available FRP software to move laterally within the 3CX network. AppleJeus dropped the software in C:\Windows\System32 named MsMpEng.exe.[1]

References

  1. Jeff Johnson, Fred Plan, Adrian Sanchez, Renato Fontana, Jake Nicastro, Dimiter Andonov, Marius Fodoreanu, Daniel Scott. (2023, April 20). 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible. Retrieved August 25, 2025.
  2. Georgy Kucherin, Vasily Berdnikov, Vilen Kamalov. (2023, April 3). Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack. Retrieved August 25, 2025.
  3. Agathocles Prodromou. (2023, April 20). Security Update Thursday 20 April 2023 – Initial Intrusion Vector Found. Retrieved August 25, 2025.
  4. Brian Krebs. (2023, April 20). 3CX Breach Was a Double Supply Chain Compromise. Retrieved May 22, 2025.
  5. Robert Falcone, Josh Grunzweig. (2023, March 30). Threat Brief: 3CXDesktopApp Supply Chain Attack. Retrieved September 15, 2025.
  1. Ankur Saini, Callum Roxan, Charlie Gardner, Paul Rascagneres, Steven Adair, Tom Lancaster. (2023, March 30). 3CX Supply Chain Compromise Leads to ICONIC Incident. Retrieved October 21, 2025.
  2. Trend Micro Research. (2023, March 30). Preventing and Detecting Attacks Involving 3CX Desktop App. Retrieved October 21, 2025.
  3. Mohamed El Azaar (med0x2e), TimWhite (timwhitez). (2023, August 28). GitHub SigFlip. Retrieved September 30, 2025.
  4. Nick Landers (monoxgas). (2022, June 18). GitHub monoxgas sRDI (DAVESHELL). Retrieved October 1, 2025.