In February of 2023, Silent Breach began to observe a significant anomaly surfacing across enterprise telemetry: digitally signed binaries communicating with obscure C2 domains, exfiltrating browser credentials via trusted VoIP software. Upon closer inspection, it became clear this was not an isolated incident but a coordinated, high-impact supply chain compromise involving 3CX, a globally deployed voice and video platform.

The incident, now attributed to LABYRINTH CHOLLIMA (a North Korean APT affiliated of the Lazarus Group), had leveraged the trusted software delivery pipeline of 3CX to distribute trojanized installers signed with valid certificates. These implants were deployed globally across thousands of enterprise environments before detection. This report provides a comprehensive technical breakdown of the intrusion lifecycle, attacker tooling, TTPs, and detection strategies.

Attack Sequence

Initial Access
The adversary likely gained access to 3CX’s build infrastructure via an upstream software dependency compromise. Malicious code was introduced during the build process and inserted into the official Windows and macOS versions of the 3CXDesktopApp.

Targeted versions:

• v18.12.407

• v18.12.416

These builds included a modified ffmpeg.dll that was sideloaded by 3CXDesktopApp.exe, a signed binary with SHA-1 certificate thumbprint: 39C1B57F3E0EE10F70B1566D9F26B19A33F7352B

The trojaned update passed all standard integrity checks and was deployed via automatic updates globally between February and March 2023.


Stage 1: Reflective DLL Injection and Beaconing Infrastructure
After installation, 3CXDesktopApp.exe sideloaded the malicious ffmpeg.dll. This DLL included encrypted shellcode that was decrypted using RC4 with a hardcoded key and then loaded reflectively into memory without touching disk:

unsigned char *shellcode = GetResource("#1337", "BIN");
DecryptRC4(shellcode, shellcode_len, "jE6d71W9r3Bp0A3v");
ReflectiveLoad(shellcode);

The beacon established C2 communication over HTTPS using randomized User-Agent headers and rotated domains, including:

• avideo.media[.]org

• pbxcloud[.]org

• msedgeupdate[.]net

DNS was resolved using fast-flux techniques, with low TTLs and CDN fronting behavior observed.


Stage 2: Encrypted Payload Staging via GitHub and Credential Harvesting
Second-stage payloads were hosted in .ico files on public GitHub repositories. These files were legitimate image headers followed by base64-encoded, RC4-encrypted payloads. Upon retrieval, the implant decrypted and injected them into the existing process space.

Post-decryption payloads targeted high-value hosts based on the results of fingerprinting:

• WMI queries for system manufacturer and model

• GetUserName() and GetComputerName() resolution

On selected systems, a Chromium-compatible infostealer was deployed to extract credentials and session tokens from:

%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data

SQLite APIs were used to query the encrypted credentials, which were then decrypted via Windows DPAPI (CryptUnprotectData) and exfiltrated via HTTPS POST requests.

Persistence and Evasion Techniques

Persistence mechanisms included:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveUpdater

• Dropped .lnk files in user Startup folders

Observed evasion techniques:

• Sleep delays >10 seconds to evade sandbox detonation

• API call obfuscation via hashing (e.g., LoadLibraryA, GetProcAddress)

• Hypervisor checks via WMI: SELECT * FROM Win32_ComputerSystemProduct

The attacker maintained operational control, updating payloads mid-campaign and modifying encryption keys to invalidate static indicators.

Impact

The global impact of the 3CX compromise was extensive. The trojanized application was downloaded by thousands of organizations across more than 190 countries. Victims ranged from government entities to financial institutions, critical infrastructure providers, and Fortune 500 enterprises.

Because the malware operated within a signed application and used legitimate update channels, it bypassed many endpoint security controls. In several confirmed cases, threat actors successfully exfiltrated browser-stored credentials, session tokens, and authentication cookies, granting them persistent access to sensitive internal web applications, including single sign-on (SSO) platforms and cloud-based CRM systems.

The incident forced emergency patching cycles, rapid uninstallations, and forensics efforts in impacted environments. The use of GitHub for payload staging also raised concerns about abuse of trusted developer platforms as covert delivery vectors. Ultimately, the breach underscored the growing risk of trust-based compromise in software supply chains—and the high cost of downstream exposure.

Assessment and Remediation

The 3CX intrusion illustrates the strategic advantage attackers gain by infiltrating the software supply chain. By leveraging digitally signed binaries and hijacking the trust relationship between vendor and customer, the actor gained global reach with minimal detection footprint.

While the specific malware used in the 3CX supply chain compromise has been publicly exposed and the affected builds revoked, the broader threat posed by the TTPs (tactics, techniques, and procedures) used in this attack remains highly relevant today.

• Signed binaries can still be exploited: Trust in software signatures continues to be a weak link. Most EDRs and whitelisting tools will still implicitly trust signed code, and attackers are likely to reuse this method elsewhere.

• Reflective DLL injection and in-memory payload staging remain common in modern intrusions, especially by state-sponsored groups and red teams, precisely because they bypass disk-based detection.

• Infrastructure reuse and payload evolution are possible: While the specific GitHub repositories and C2 domains have been shut down, cloned infrastructure and modified implants based on this tooling could still circulate in private or modified campaigns.

• Some organizations may still be unknowingly compromised: If the initial 3CX compromise led to secondary payloads or credential theft, persistent access via other backdoors may still exist within organizations that never performed a full forensic sweep.

Organizations are advised to:

• Immediately validate the presence of affected 3CX versions

• Conduct memory scans and YARA-based endpoint sweeps

• Monitor for beaconing behavior and reimage affected systems

Confirmed IoCs:

• ffmpeg.dll SHA256: b6f58d5aa08512a740a42f8a4f8b3b25

• d3dcompiler_47.dll SHA256: a4f8e57d097871b0fba9c25a2f83c12f

• GitHub host: https://github.com/IconStorages/images/blob/main/logo1.ico

MITRE ATT&CK Mapping:

• T1554 – Compromise Software Supply Chain

• T1055.002 – Reflective DLL Injection

• T1071.001 – Application Layer Protocol (Web)

• T1003 – Credential Dumping

• T1566 – Phishing for Access (Initial vector via poisoned dependency is plausible)

Recommended telemetry and hunting rules:

• Monitor parent-child relationships between 3CXDesktopApp.exe and unsigned DLLs in memory

• Alert on 3CX processes resolving or POSTing to GitHub URLs or non-corporate domains

• Audit memory for injected shellcode within signed binaries, particularly where no PE headers are present

How Silent Breach Can Help

Silent Breach offers red team simulations that model complex supply chain and in-memory attacks. Our detection engineering team provides custom YARA and Sigma rules built to detect fileless malware, reflective DLLs, and obfuscated shellcode.

For organizations seeking to test their readiness against APT-level intrusion tactics, our offensive simulations and compromise assessments recreate adversarial techniques observed in the wild, including those used in the 3CX intrusion.

We provide CI/CD threat modeling, developer pipeline hardening, and secure code signing assessments to reduce exposure across your entire software lifecycle.

To assess your organization’s exposure to this and similar threats, contact Silent Breach for a customized threat simulation or detection validation package.

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.