In March 2023, security researchers at CrowdStrike and SentinelOne detected malicious activity originating from the 3CX Desktop App, a VoIP and PBX client used by over 600,000 organizations worldwide. What they uncovered was unprecedented: the 3CX compromise was itself the result of a prior supply chain attack — making it the first publicly documented case of a cascading supply chain compromise.
A supply chain of supply chains
The attack chain began not with 3CX but with Trading Technologies, a company that develops the X_TRADER financial trading application. An employee at 3CX installed a trojanized version of X_TRADER on their workstation — a version that had been backdoored through a separate, earlier supply chain compromise of Trading Technologies.
This attack, attributed to the Lazarus Group (DPRK), demonstrated that supply chain attacks can chain through multiple vendors, creating cascading compromises that are extremely difficult to trace.
From that single compromised developer workstation, the adversary moved laterally within 3CX’s network, eventually gaining access to the build environment. They then trojanized the 3CX Desktop App for both Windows and macOS, which was distributed through 3CX’s legitimate update channels.
Technical execution
The attack demonstrated sophisticated operational tradecraft:
- Initial vector: Trojanized X_TRADER application on a 3CX employee’s machine
- Lateral movement: From the developer workstation through 3CX’s internal network to the build infrastructure
- Payload delivery: Trojanized 3CX Desktop App loaded malicious DLLs on execution
- C2 mechanism: Encrypted command-and-control data retrieved from GitHub — the app downloaded icon files from a GitHub repository that contained encoded C2 server addresses
- Multi-platform: Both Windows and macOS versions of the 3CX app were compromised
The 3CX incident forced a new question into supply chain threat modeling: what if the trusted software on your developer’s machine was compromised through yet another supply chain attack?
Attribution and motivation
The attack was attributed to the Lazarus Group, North Korea’s primary cyber operations unit. Lazarus has a well-documented pattern of targeting financial institutions and cryptocurrency exchanges to generate revenue for the regime. The initial compromise of Trading Technologies (a financial trading platform) aligns with this pattern, while the pivot to 3CX may have been an opportunistic expansion of access.
The 3CX incident highlights why developer workstations deserve the same security scrutiny as production servers. A compromised dev machine can be the entry point to a build pipeline compromise.
Key takeaways
- Supply chain attacks can cascade through multiple vendors, creating chains of compromise that are extremely difficult to detect and attribute
- Developer environments are high-value targets — compromising a developer’s workstation can lead to build pipeline access
- Even trusted applications on developer machines can be attack vectors — security teams must consider the integrity of all software running in development environments
- GitHub and other public platforms can be abused as C2 infrastructure, blending malicious traffic with legitimate developer activity
Want to dig deeper? Explore the project repository for detailed analysis of the 3CX cascade and other supply chain incidents.
