Supply Chain Attack Targeting 3CX Softphone Application

Share :

On Wednesday, March 29, 2023, details of unexpected malicious activity observed from the legitimate and cryptographically signed 3CX SoftPhone Desktop App application were shared in a blog post by security researchers at Crowdstrike.  

On Thursday, March 30, 2023, the vendor 3CX posted a security advisory confirming a complex supply chain attack from an Advanced Persistent Threat (APT) targeting some users of the 3CX Desktop App with infostealer malware. The infostealer malware has been seen to gather system and browser information from infected systems, including browser history. According to 3CX, it appears that the APT would choose specific targets to download the next stages of their malware and the majority of infected systems had their files remain dormant. 

3CX has confirmed that the following Electron versions of the Windows & Mac desktop app are affected. Based on the known affected versions coming out in January 2023, we believe that this supply chain attack goes back to January. 

Windows                 macOS                   
18.12.407  18.11.1213 
18.12.416  18.12.402 


Recommendation #1: Remove 3CX Desktop App From Workstations 

3CX recommends uninstalling 3CX Desktop App while they work on creating new versions that are not infected. The vendor also recommends using the web app version of 3CX for the time being.  

The following versions of 3CX SoftPhone applications should be removed: 

Windows                  macOS                      
18.12.407            18.11.1213          
18.12.416  18.12.402 


Picture of James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Subscribe to our Monthly Newsletter