3CXDesktopApp Intrusion Campaign Prevention
A sophisticated supply chain attack compromised the legitimate 3CXDesktopApp softphone application across Windows, macOS, and Linux platforms. The malicious activity involved trojanized signed installers that deployed a compromised ffmpeg.dll binary, establishing HTTPS beacons to attacker-controlled infrastructure and enabling second-stage payload deployment. Analysis revealed the attack utilized specific beacon structures and encryption keys matching infrastructure patterns, with hands-on-keyboard activity observed in targeted cases. The operation affected multiple platforms through signed MSI installers containing malicious components. The attack demonstrated advanced tradecraft through abuse of trusted software distribution channels, requiring immediate removal of affected versions and deployment of behavioral detection capabilities to identify malicious beaconing activity.
AI Analysis
Technical Summary
The 3CXDesktopApp supply chain attack involved trojanized signed MSI installers across multiple platforms (Windows, macOS, Linux) that deployed a compromised ffmpeg.dll binary. This binary established encrypted HTTPS communications with attacker infrastructure to facilitate second-stage payload deployment. Analysis identified specific beacon structures and encryption keys consistent with the attacker’s infrastructure. The operation showed advanced techniques including abuse of trusted software signing and hands-on-keyboard activity, indicating targeted intrusions. No affected versions or patches are explicitly stated. The attack requires behavioral detection and removal of compromised software.
Potential Impact
The attack compromises the integrity of the 3CXDesktopApp by delivering malicious payloads through trusted signed installers, potentially allowing attackers to execute arbitrary code, maintain persistence, and conduct further intrusions via encrypted command and control channels. This undermines user trust in the software supply chain and exposes affected systems to advanced persistent threats.
Mitigation Recommendations
No official patch or remediation details are provided. Immediate removal of affected 3CXDesktopApp versions is advised. Deploy behavioral detection capabilities focused on identifying malicious HTTPS beaconing activity associated with the compromised ffmpeg.dll. Monitor for signs of second-stage payload execution. Follow vendor advisories for updates and remediation guidance as they become available.
Indicators of Compromise
- domain: akamaicontainer.com
- domain: azureonlinecloud.com
- domain: officeaddons.com
- hash: 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290
- hash: 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983
- hash: 92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61
- hash: aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868
- hash: b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb
- hash: dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc
- hash: e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec
- hash: fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405
- domain: akamaitechcloudservices.com
- domain: azuredeploystore.com
- domain: azureonlinestorage.com
- domain: dunamistrd.com
- domain: glcloudservice.com
- domain: journalide.org
- domain: msedgepackageinfo.com
- domain: msstorageazure.com
- domain: msstorageboxes.com
- domain: officestoragebox.com
- domain: pbxcloudeservices.com
- domain: pbxphonenetwork.com
- domain: pbxsources.com
- domain: qwepoi123098.com
- domain: sbmsa.wiki
- domain: visualstudiofactory.com
- domain: zacharryblogs.com
- hash: 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
3CXDesktopApp Intrusion Campaign Prevention
Description
A sophisticated supply chain attack compromised the legitimate 3CXDesktopApp softphone application across Windows, macOS, and Linux platforms. The malicious activity involved trojanized signed installers that deployed a compromised ffmpeg.dll binary, establishing HTTPS beacons to attacker-controlled infrastructure and enabling second-stage payload deployment. Analysis revealed the attack utilized specific beacon structures and encryption keys matching infrastructure patterns, with hands-on-keyboard activity observed in targeted cases. The operation affected multiple platforms through signed MSI installers containing malicious components. The attack demonstrated advanced tradecraft through abuse of trusted software distribution channels, requiring immediate removal of affected versions and deployment of behavioral detection capabilities to identify malicious beaconing activity.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 3CXDesktopApp supply chain attack involved trojanized signed MSI installers across multiple platforms (Windows, macOS, Linux) that deployed a compromised ffmpeg.dll binary. This binary established encrypted HTTPS communications with attacker infrastructure to facilitate second-stage payload deployment. Analysis identified specific beacon structures and encryption keys consistent with the attacker’s infrastructure. The operation showed advanced techniques including abuse of trusted software signing and hands-on-keyboard activity, indicating targeted intrusions. No affected versions or patches are explicitly stated. The attack requires behavioral detection and removal of compromised software.
Potential Impact
The attack compromises the integrity of the 3CXDesktopApp by delivering malicious payloads through trusted signed installers, potentially allowing attackers to execute arbitrary code, maintain persistence, and conduct further intrusions via encrypted command and control channels. This undermines user trust in the software supply chain and exposes affected systems to advanced persistent threats.
Mitigation Recommendations
No official patch or remediation details are provided. Immediate removal of affected 3CXDesktopApp versions is advised. Deploy behavioral detection capabilities focused on identifying malicious HTTPS beaconing activity associated with the compromised ffmpeg.dll. Monitor for signs of second-stage payload execution. Follow vendor advisories for updates and remediation guidance as they become available.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/?utm_source=Securitylab.ru"]
- Adversary
- Lazarus Group
- Pulse Id
- 6a38d6259f636193112c9c1c
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainakamaicontainer.com | — | |
domainazureonlinecloud.com | — | |
domainofficeaddons.com | — | |
domainakamaitechcloudservices.com | — | |
domainazuredeploystore.com | — | |
domainazureonlinestorage.com | — | |
domaindunamistrd.com | — | |
domainglcloudservice.com | — | |
domainjournalide.org | — | |
domainmsedgepackageinfo.com | — | |
domainmsstorageazure.com | — | |
domainmsstorageboxes.com | — | |
domainofficestoragebox.com | — | |
domainpbxcloudeservices.com | — | |
domainpbxphonenetwork.com | — | |
domainpbxsources.com | — | |
domainqwepoi123098.com | — | |
domainsbmsa.wiki | — | |
domainvisualstudiofactory.com | — | |
domainzacharryblogs.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290 | — | |
hash59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 | — | |
hash92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61 | — | |
hashaa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 | — | |
hashb86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb | — | |
hashdde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc | — | |
hashe6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec | — | |
hashfad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405 | — | |
hash7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896 | — |
Threat ID: 6a391b74eed863c81eb5b57e
Added to database: 06/22/2026, 11:24:36 UTC
Last enriched: 06/22/2026, 11:39:06 UTC
Last updated: 06/22/2026, 19:58:53 UTC
Views: 51
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.