3CXDesktopApp Intrusion Campaign Prevention

June 22, 2026, 11:30 a.m.

Description

A sophisticated supply chain attack compromised the legitimate 3CXDesktopApp softphone application across Windows, macOS, and Linux platforms. The malicious activity involved trojanized signed installers that deployed a compromised ffmpeg.dll binary, establishing HTTPS beacons to attacker-controlled infrastructure and enabling second-stage payload deployment. Analysis revealed the attack utilized specific beacon structures and encryption keys matching infrastructure patterns, with hands-on-keyboard activity observed in targeted cases. The operation affected multiple platforms through signed MSI installers containing malicious components. The attack demonstrated advanced tradecraft through abuse of trusted software distribution channels, requiring immediate removal of affected versions and deployment of behavioral detection capabilities to identify malicious beaconing activity.

External References

https://otx.alienvault.com/pulse/6a38d6259f636193112c9c1c
https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/?utm_source=Securitylab.ru
Tags
supply chain attack
trojanized installer
2026-06-22
3cxdesktopapp
arcfeedloader
labyrinth chollima
softphone
txrloader

Date

  • Created: June 22, 2026, 6:28 a.m.
  • Published: June 22, 2026, 6:28 a.m.
  • Modified: June 22, 2026, 11:30 a.m.

Indicators

  • e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec
  • fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405
  • b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb
  • aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868
  • dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc
  • 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983
  • 92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61
  • 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896
  • 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290
Download all indicators here!

Attack Patterns

  • TxRLoader
  • ArcfeedLoader
  • Lazarus Group

Additional Informations

  • Energy
  • Finance
  • journalide.org
  • akamaitechcloudservices.com
  • azureonlinestorage.com
  • officestoragebox.com
  • msedgepackageinfo.com
  • qwepoi123098.com
  • msstorageboxes.com
  • visualstudiofactory.com
  • azuredeploystore.com
  • glcloudservice.com
  • officeaddons.com
  • pbxphonenetwork.com
  • pbxcloudeservices.com
  • dunamistrd.com
  • msstorageazure.com
  • akamaicontainer.com
  • sbmsa.wiki
  • azureonlinecloud.com
  • pbxsources.com
  • zacharryblogs.com