C0057: 3CX Supply Chain Attack
The 3CX Supply Chain Attack was the first publicly reported case of one supply chain compromise triggering another, leading to a cascading, two-stage intrusion. The initial supply chain attack began when a 3CX employee downloaded and executed a trojanized, end-of-life version of the X_Trader trading software from Trading Technologies. This provided UNC4736, a threat cluster associated with AppleJeus, access to the 3CX environment. From there UNC4736 compromised the Windows and macOS build environments used to distribute the 3CX desktop application to their customers.[1] While 3CX serves more than 600,000 customers and 12 million users, only a subset of systems were affected. Subsequent targeting focused on victims in the defense and cryptocurrency sectors, where attackers deployed secondary payloads such as Gopuram for credential theft and persistence.[2] The campaign began in late 2022 and was disrupted after security vendors publicly reported the compromise in March 2023.[3][4]
Analyst context for executives and security teams
This campaign matters because it shows how one trusted software compromise can cascade into another trusted software ecosystem. For leaders, the key lesson is not just “supply chain risk,” but whether the organization can quickly identify affected software, validate build and update trust, and decide which downstream systems or customers require incident response attention when trusted applications become delivery paths.
Executive priority
Prioritize this as a resilience and assurance scenario: inventory trusted desktop applications, confirm third-party software lifecycle controls, and require evidence that build environments, signing processes, and update channels are monitored. The ATT&CK record ties the campaign to a prior software supply chain compromise, compromise of Windows and macOS build environments, secondary targeting in defense and cryptocurrency sectors, and use of credential theft and persistence payloads. Executives should ask whether vendor risk, endpoint visibility, identity monitoring, and IR playbooks can handle a cascading supplier incident without waiting for perfect attribution.
Technical view
MITRE does not provide a campaign-level detection section, so SOC and IR validation should be driven by the related techniques. Focus on software supply chain compromise, trusted installer/application execution, code signing trust abuse, embedded or encoded payloads, process injection, reflective loading, DLL abuse, msiexec and Electron application abuse, macOS Launch Daemons, installer package scripts, valid account abuse, browser information discovery, and web-based or encrypted command-and-control patterns. Because the campaign involved compromised Windows and macOS build environments and distributed desktop applications, defenders should validate both endpoint behavior and software provenance evidence rather than relying only on file reputation or signature trust.
Likely telemetry
- Software inventory and version/deployment records for 3CX, X_Trader, and other trusted desktop applications where applicable
- Endpoint process creation, parent-child process, command-line, module load, and memory/injection telemetry
- Windows Installer/msiexec execution events and installer package activity
- macOS Launch Daemon and installer script creation or modification events
- Code signing, certificate, notarization, and application provenance metadata
Detection direction
- Validate that trusted and signed applications are still inspected for abnormal child processes, network destinations, injected code, and persistence changes.
- Tune detections around installer packages, Electron-based applications, msiexec, DLL loading, Launch Daemons, process injection, and reflective code loading, with allowlists based on known administrative behavior.
- Correlate endpoint alerts with software inventory and vendor exposure data to identify systems that may have received compromised software rather than treating each alert in isolation.
- Review outbound web protocol traffic for unusual resolver behavior, encoded infrastructure references, proxy tooling such as FRP, and encrypted C2-like patterns while accounting for high false-positive rates in normal web traffic.
- Use identity telemetry to identify whether valid account use follows endpoint compromise indicators, since credential theft and persistence were noted in subsequent targeting.
Mitigation priorities
- Maintain current software inventory and rapid vendor exposure scoping for third-party desktop applications and build tools.
- Strengthen software supply chain governance: vendor risk review, update-channel validation, end-of-life software restrictions, and build/signing environment monitoring.
- Harden endpoints against persistence and stealth behaviors, including installer script abuse, Launch Daemon creation, DLL abuse, process injection, and suspicious use of trusted utilities.
- Improve identity controls and monitoring for valid account abuse, especially after suspected endpoint or supplier compromise.
- Ensure incident response playbooks include supplier compromise triage, affected-asset identification, customer/stakeholder notification decision support, and evidence preservation for audit or regulatory needs.
Analyst notes and limits
The campaign is attributed in ATT&CK relationship context to AppleJeus, and the official description references UNC4736 as associated with AppleJeus. The strongest defensive value is in using this as a tabletop and control-validation case for cascading software supply chain compromise, build environment assurance, trusted application monitoring, and identity follow-on investigation.
No official ATT&CK detection guidance, campaign tactics, labels, or platforms are provided. Platform references come from the official description and related techniques, not from the campaign platform field. Local software inventory, endpoint coverage, identity logs, and vendor exposure data are required to determine relevance and coverage.
3CX Supply Chain Attack
The 3CX Supply Chain Attack was the first publicly reported case of one supply chain compromise triggering another, leading to a cascading, two-stage intrusion. The initial supply chain attack began when a 3CX employee downloaded and executed a trojanized, end-of-life version of the X_Trader trading software from Trading Technologies. This provided UNC4736, a threat cluster associated with AppleJeus, access to the 3CX environment. From there UNC4736 compromised the Windows and macOS build environments used to distribute the 3CX desktop application to their customers.[1] While 3CX serves more than 600,000 customers and 12 million users, only a subset of systems were affected. Subsequent targeting focused on victims in the defense and cryptocurrency sectors, where attackers deployed secondary payloads such as Gopuram for credential theft and persistence.[2] The campaign began in late 2022 and was disrupted after security vendors publicly reported the compromise in March 2023.[3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027 | Obfuscated Files or Information | During the 3CX Supply Chain Attack, AppleJeus payloads use AES-256 GCM cipher to encrypt data to include ICONICSTEALER and VEILEDSIGNAL.CitationVolexity 3CX Supply Chain Compromise AppleJeus IconicStealer March 2023CitationMandiant 3cx UNC4736 2023 |
| Enterprise | T1559 | Inter-Process Communication | During the 3CX Supply Chain Attack, AppleJeus's VEILEDSIGNAL creates and listens on a Windows named pipe to exchange messages between modules.CitationMandiant 3cx UNC4736 2023 |
| Enterprise | T1078 | Valid Accounts | During 3CX Supply Chain Attack, AppleJeus has gained access to the 3CX corporate environment through legitimate VPN credentials.Citation3cx official statement 2023 |
| Enterprise | T1195.002 | Compromise Software Supply Chain Sub-technique | During the 3CX Supply Chain Attack, AppleJeus first compromised an “end-of-life" trading software application which was downloaded and executed inside the 3CX enterprise environment. The second compromise modified the Windows and macOS build environments used to distribute the 3CX software to their customer base.CitationMandiant 3cx UNC4736 2023 |
| Enterprise | T1189 | Drive-by Compromise | During the 3CX Supply Chain Attack, AppleJeus compromised the `www.tradingtechnologies[.]com` website hosting a hidden IFRAME to exploit visitors, two months before the site was known to deliver a compromised version of the X_TRADER software package.CitationMandiant 3cx UNC4736 2023 |
| Enterprise | T1543.004 | Launch Daemon Sub-technique | During the 3CX Supply Chain Attack, AppleJeus installs a Launch Daemon to execute the POOLRAT macOS backdoor software.CitationMandiant 3cx UNC4736 2023 |
| Enterprise | T1678 | Delay Execution | During the 3CX Supply Chain Attack, AppleJeus's software generates a randomly selected date that is between 1-4 weeks in the future. This timestamp is then checked against the current time of the compromised machine, and the malware will sleep until that time is encountered.CitationUnit42 3cx supply chain 2023 |
| Enterprise | T1218.007 | Msiexec Sub-technique | During the 3CX Supply Chain Attack, AppleJeus delivered components using a Windows Installer package (.msi). The MSI installer extracted several files and executed the 3CXDesktopApp.exe, which loaded the malicious library file ffmpeg.dll.CitationUnit42 3cx supply chain 2023 |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | During the 3CX Supply Chain Attack, AppleJeus leveraged a GitHub repository to host icon files containing the command and control URL.CitationUnit42 3cx supply chain 2023CitationMandiant 3cx UNC4736 2023 |
| Enterprise | T1574.001 | DLL Sub-technique | During the 3CX Supply Chain Attack, AppleJeus splits functionally across multiple .dll files using export functions, such as DLLGetClassObject, to execute code from an embedded .dll file within another .dll file. AppleJeus has also used DLL search order hijacking via the IKEEXT service, running with LocalSystem privileges, to load the TAXHAUL DLL for persistence.CitationUnit42 3cx supply chain 2023CitationMandiant 3cx UNC4736 2023 |
| Enterprise | T1620 | Reflective Code Loading | During the 3CX Supply Chain Attack, AppleJeus leverages the publicly available open-source project DAVESHELL to convert PE-COFF files to position-independent code to reflectively load the payload into memory.CitationMandiant 3cx UNC4736 2023CitationDaveshell sRDI GitHub shell code loader |
| Enterprise | T1553.002 | Code Signing Sub-technique | Although the X_TRADER platform was reportedly discontinued in 2020, it was still available for download from the legitimate Trading Technologies website in 2022. During the 3CX Supply Chain Attack, AppleJeus used a code signing certificate to digitally sign the malicious software with an expiration date set to October 2022. This file was signed with the subject “Trading Technologies International, Inc” and contained the executable file Setup.exe, also signed with the same digital certificate.CitationMandiant 3cx UNC4736 2023Citation3cx official statement 2023 |
| Enterprise | T1217 | Browser Information Discovery | During the 3CX Supply Chain Attack, AppleJeus leveraged ICONICSTEALER to steal browser information to include browser history located on the infected host.CitationVolexity 3CX Supply Chain Compromise AppleJeus IconicStealer March 2023CitationMandiant 3cx UNC4736 2023CitationTrend Micro 3CX AppleJeus ICONICSTEALER March 2023 |
| Enterprise | T1055 | Process Injection | During the 3CX Supply Chain Attack, AppleJeus's VEILEDSIGNAL uses process injection to inject the C2 communication module code in the first found process instance of Chrome, Firefox, or Edge web browsers. It also monitors the established named pipe and re-injects the C2 communication module if necessary.CitationMandiant 3cx UNC4736 2023 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | During the 3CX Supply Chain Attack, AppleJeus encrypts its dynamic library files (.dll) using RC4, and when loaded only decrypts specific portions of the file using the key `3jB(2bsG#@c7`.CitationUnit42 3cx supply chain 2023 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | During the 3CX Supply Chain Attack, AppleJeus's COLDCAT C2 leverages cookie headers to contain data over HTTPS. Cookies also contain hardcoded variables `__tutma` or `__tutmc` in the payload's HTTPS request.CitationMandiant 3cx UNC4736 2023CitationUnit42 3cx supply chain 2023 |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | During the 3CX Supply Chain Attack, AppleJeus uses embedded .dll as apart of a chained delivery mechanism to invoke the COM class factory.CitationUnit42 3cx supply chain 2023 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | During the 3CX Supply Chain Attack, AppleJeus's VEILEDSIGNAL communication module supports three commands to conduct the following actions: send implant data, execute shellcode, and terminate itself.CitationMandiant 3cx UNC4736 2023 |
| Enterprise | T1546.016 | Installer Packages Sub-technique | During the 3CX Supply Chain Attack, AppleJeus added a malicious .dylib file to a .dmg installer package for the macOS 3CX application.CitationUnit42 3cx supply chain 2023 |
| Enterprise | T1055.002 | Portable Executable Injection Sub-technique | During the 3CX Supply Chain Attack, AppleJeus uses the SigFlip tool to inject arbitrary code without affecting or breaking the file's signature.CitationGitHub SigFlip opensource toolCitationMandiant 3cx UNC4736 2023 |
| Enterprise | T1218.015 | Electron Applications Sub-technique | During the 3CX Supply Chain Attack, AppleJeus leveraged the 3CX application's electron framework to execute its malicious libraries under the official 3CX electron application.CitationUnit42 3cx supply chain 2023 |
| Enterprise | T1203 | Exploitation for Client Execution | During the 3CX Supply Chain Attack, AppleJeus leveraged the Chrome vulnerability, CVE-2022-0609, in combination with a Drive-by Compromise website.CitationMandiant 3cx UNC4736 2023 |
Groups, software, and campaigns
G1049: AppleJeus
AppleJeus is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader Lazarus Group umbrella of actors, AppleJeus has been active since at least 2018 and is closely aligned in resources with TEMP.hermit, another DPRK-affiliated group under the same umbrella.[1] The group’s primary mission is to generate and launder revenue to provide financial support to the government. AppleJeus primarily targets the cryptocurrency industry and is most notably responsible for the 3CX Supply Chain Attack.[2] The group traditionally deploys malicious cryptocurrency software in combination with Phishing. From these compromised environments, it selectively deploys additional backdoors to enable extended operations against high-value financial targets.[3][4]
S1144: FRP
FRP, which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT) to the Internet. FRP can support multiple protocols including TCP, UDP, and HTTP(S) and has been abused by threat actors to proxy command and control communications.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b01dab5437a2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant 3cx UNC4736 2023
Jeff Johnson, Fred Plan, Adrian Sanchez, Renato Fontana, Jake Nicastro, Dimiter Andonov, Marius Fodoreanu, Daniel Scott. (2023, April 20). 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible. Retrieved August 25, 2025.
Open source URL -
[2]
Kaspersky 3CX Gopuram 2023
Georgy Kucherin, Vasily Berdnikov, Vilen Kamalov. (2023, April 3). Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack. Retrieved August 25, 2025.
Open source URL -
[3]
3cx official statement 2023
Agathocles Prodromou. (2023, April 20). Security Update Thursday 20 April 2023 – Initial Intrusion Vector Found. Retrieved August 25, 2025.
Open source URL -
[4]
Krebs 3cx overview 2023
Brian Krebs. (2023, April 20). 3CX Breach Was a Double Supply Chain Compromise. Retrieved May 22, 2025.
Open source URL -
[5]
mitre-attack C0057Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.