3CX Supply Chain Attack Tied to Financial Trading App Breach

Mandiant found that North Koreas UNC4736 gained initial access on 3CXs network when an employee downloaded a weaponized but legitimately-signed app from Trading Technologies.

Turns out 3CX was not the original target in a recent supply chain compromise affecting customers of the video conferencing software maker: The attack came via a prior supply chain compromise involving Trading Technologies, a provider of high-performance trading software.
That makes the breach at 3CX one of the first known instances where an adversary used one supply chain attack to enable a second supply chain attack in an effort to try and breach multiple organizations. However, rather than being the victims of a targeted attack, 3CX and its customers appear to have become opportunistic victims for the threat actor, new research shows.
Researchers at Google Clouds
Mandiant discovered the chained attacks
after 3CX hired the security vendor to investigate a March 2023 incident where a threat actor — now identified as North Koreas Lazarus group — used
legitimate updates of 3CXs DesktopApp
to deliver malware to downstream customers.
Multiple security vendors at the time reported observing legitimately signed Windows and Mac versions of the 3CX app landing on customer systems bundled with malicious installers. When users attempted to deploy the poisoned software, the malicious installers executed a sequence of actions that ended with an information stealer on their systems. Kaspersky later observed Lazarus actors
dropping a second-stage backdoor,
tracked as Gopuram on systems belonging to a small number of affected 3CX users.
Security researchers surmised that the North Korean threat actor — whom Mandiant tracks as UNC4736 — would have needed extensive access to 3CXs build environment to pull off the attack. 3CX officials themselves merely noted the issue
likely had to do with one of the bundled libraries
compiled into the desktop app.
Mandiants investigation into how exactly UNC4736 might have compromised the 3CX environment showed the threat actor gained initial access when a 3CX employee downloaded a financial trading package called X_TRADER from the website of the developer, Trading Technologies.
UNC4736 actors had previously breached Trading Technologies systems, according to Mandiant, and inserted a backdoor in the X_TRADER apps installation file. When the 3CX user downloaded the app from the Trading Technologies website, the installer triggered actions that resulted in a modular, multi-stage backdoor called VEILEDSIGNAL landing on the individuals system.
The malware contained multiple functions, including those for sending implant data, executing shell code, and for terminating itself. VEILEDSIGNAL also included two other components: one for injecting the command-and-control module on Chrome, Firefox, or Edge, and the other for listening to incoming communications.
Marius Fodoreanu, principal consultant at Mandiant and the lead investigator in the 3CX compromise, says its unclear how UNC4736/Lazarus actors introduced the malicious installer for X_TRADER.
Mandiant is not performing an incident response for Trading Technologies, so we dont have direct visibility into the Trading Technologies environment, he says. But Mandiant has observed evidence of compromise of the Trading Technologies environment as far back as 2021, Fodoreanu says.
Fodoreanu says that following the initial compromise of the 3CX employees computer in 2022, the threat actor stole the employees corporate credentials. The attackers then used the administrative-level access and persistence that VEILEDSIGNAL provided on the system to eventually compromise 3CXs Windows and macOS build environments and insert malware into finished 3CX software packages.
The breach at 3CX would not have happened in this instance if the employee hadnt downloaded the malicious X_TRADER app. That means the company became a collateral and, therefore, an opportunistic victim of the North Korean group.
If you were starting from scratch and trying to intentionally target a company like 3CX, you would not go to Trading Technologies as an initial attack vector, Fodoreanu concedes.
However, when the threat actor discovered they had snagged a high-value victim, it is likely they pressed forward more deliberately, he says.
Yes, we believe it likely started off as [an] opportunistic attack, he says. But once they figured out that they had access to a company that likely has a lot of customers, they decided to continue to move forward and compromise the environment and then compromise the software.
Interestingly, 3CX is neither a vendor nor a customer of Trading Technologies. So, it is not clear why an employee from the company would have wanted to download X_TRADER, a spokeswoman from Trading Technologies said in an emailed statement to Dark Reading.
Given that this only came to our attention last week, we have not had the ability to verify the assertions in Mandiants report, the spokeswoman said. What we do know with certainty is that 3CX is not a vendor or a customer of Trading Technologies. There is no business relationship between the two companies.
The statement went on to note that Trading Technologies discontinued the X_TRADER app referenced in the Mandiant report in April 2020. Mandiant itself said its investigation showed, however, that the app was still available for download in 2022. There was no reason for anyone to download the software given that TT stopped hosting, supporting, and servicing X_TRADER after early 2020.
Fodoreanu says there is potential that other organizations might have downloaded the poisoned X_TRADER app during the two years it was available on Trading Technologies website, after the company discontinued the product.
We suspect there are a number of organizations that dont know theyre compromised yet, he says. Were hopeful that now that this information is out, itll help accelerate the process for companies to determine that theyre compromised and contain their incidents.
Meanwhile, in a separate development, security vendor Eset this week reported on a new Lazarus campaign it is currently tracking as
Operation DreamJob,
which it believes is linked to the 3CX attack for multiple reasons. Peter Kalnai, senior malware researcher at Eset, says the so-called SimplexTea Linux malware used in the DreamJob campaign shares the same C2 network infrastructure used in the 3CX attack.
The configuration of SimplexTea also bears the same name (apdl.cf) as SIMPLESEA the macOS malware reported in the 3CX attack, Kalnai says. There are also similarities in the manner in which messages are encrypted, he says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
3CX Supply Chain Attack Tied to Financial Trading App Breach