Threat Intelligence: Active Campaign Targeting 3CX - D1defend D1defend

Threat Intelligence: Active Campaign Targeting 3CX - D1defend D1defend



Threat Intelligence: Active Campaign Targeting 3CX

Posted: March 30, 2023

Active intrusion campaign targeting users of the 3CX softphone telephony platform. The threat actor group, LABYRINTH CHOLLIMA, associated with the Democratic People’s Republic of Korea, is suspected to be behind this campaign.

CrowdStrike’s Intelligence Team has identified unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp, a softphone application from 3CX.


The trojanized malware is signed with 3CX’s certificate, creating complexity for prevention using traditional security controls. The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.

The 3CX CEO Nick Galea has been quoted by numerous sources urging users to uninstall the affected software, which includes versions 18.12.407 and 18.12.416 of the Windows application. The Macintosh application also appears to be impacted.

We recommend two steps: first if you have application control set up in your environments make sure this product is blacklisted and cannot run. Then go through and uninstall it.

We also recommend searching your software lists using your RMM to make sure it is not installed on any devices you may be unaware of.


CrowdStrike has behavioral preventions and atomic detectors targeting the abuse of 3CXDesktopApp. If you are a customer, please ensure that your prevention policies are properly configured with “Suspicious Processes” enabled. (This may not be on by default.) We recommend locating the presence of 3CXDesktopApp software in your environment by using the provided queries and hunting for historical presence of indicators in third-party tooling (if available).

Todyl also is tracking the campaign and has released preventions and detections across multiple Todyl modules, in addition to active threat hunting from the MXDR Team. Todyl’s ATI (Adversary Threat Intelligence) team is continuing to monitor developments and coordinating with both the MXDR and Detection Engineering teams.

As of March 29th, 10:43AM MT, VirusTotal showed that most antivirus vendors were not detecting this attack. However, other vendors like Sophos and SentinelOne and ESET have reportedly been marking the 3CX desktop application as malicious.

The actions mentioned in the links below significantly reduce the risk of infection for tenants leveraging CrowdStrike as well as Todyl’s Endpoint Security, SIEM, and SASE modules. However, it is still necessary to audit both you and your client’s environments thoroughly for the presence of 3CX associated malware.


As this campaign is still developing, it’s crucial to take immediate action to protect your customers from this threat. We recommend that you contact your security vendors to stay informed about their response to this attack. It’s also essential to regularly monitor your environment for any suspicious activities and follow the recommendations provided in the links below. By taking these measures, you can help ensure the safety and security of your business and your customers.

· CrowdStrike Tech Alert (requires a CrowdStrike login) –

· Todyl’s Blog Post –

· Please take a look at the Atomic Indicators in this Reddit post from CrowdStrike in order to use them within your own security stack to search for indications of compromise –

Contact Us Today!

Schedule a Call