3CX - isotope¹³

Incident Summary

3CX app updates delivered multi-stage malware.

Attackers compromised 3CX's build process and shipped malware through signed Desktop App updates for Windows and macOS to a customer base spanning hundreds of thousands of organizations. The breach cascaded from another supply-chain attack, X_TRADER, and turned 3CX into a downstream delivery system for data theft, reconnaissance, and follow-on payloads inside enterprise networks.

Date: 2022-12-07 to 2023-03-30
Category: Commercial
Target Surface: Build/CI
Insertion Phase: CI/CD
Impact: Backdoor
Cause: Build system compromise

What Was Affected

Package 3CX

LanguageC

ComponentApplication

Artifact typebinary archive

Domain typeproject download host

Domain 3cx.com

Compromised Versions

Windows: 18.12.407, 18.12.416
macOS: 18.11.1213, 18.12.402, 18.12.407, 18.12.416

Incident Context

Motive: Espionage
Attribution: Nation-state
Transitive: Yes
User Impact: 600000
Observed Duration: 113 days

Evidence

Compromised Artifacts

Current Artifacts and Analysis

Indicators and Changes

Hashes

sha256:53a44c2396d15c3a03723fa5e5db54cafd527b9eceb8f99aeffcf6f8c609e5f4
sha256:2b5fe5a62855dc3e818d0d1359e0ba773bdd2ec3fa3a770be87b4dd6baf02c43
sha256:e3364af12a49468c61480c2f7c76a593ea6cb89bedc86b3f9b989697c08977be
sha256:7145fbd6ccce5469270baa43ea5dcb323f64d0ca0ee210ac9ba7e2c3ea3162e5

External References

Source Data

Source record: proprietary/3cx/meta.yaml