3CX Backdoor (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.3cx_backdoor (Back to overview)

3CX Backdoor

aka: SUDDENICON

Actor(s): Lazarus Group

VTCollection

According to CrowdStrike, this backdoor was discovered being embedded in a legitimate, signed version of 3CXDesktopApp, and thus constitutes a supply chain attack.

References

2023-10-04 ⋅ Virus Bulletin ⋅ Peter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SecondHandTea SnatchCrypto wAgentTea WebbyTea WinInetLoader

2023-08-30 ⋅ Kaspersky Labs ⋅ David Emm
IT threat evolution in Q2 2023
3CX Backdoor Bankshot BLINDINGCAN GoldMax Kazuar QUIETCANARY tomiris GoldenJackal

2023-04-20 ⋅ ESET Research ⋅ Marc-Etienne M.Léveillé, Peter Kálnai
Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack
BADCALL SimpleTea POOLRAT 3CX Backdoor BADCALL IconicStealer

2023-04-03 ⋅ Youtube (MalwareAnalysisForHedgehogs) ⋅ Karsten Hahn
Malware Analysis - 3CX SmoothOperator ffmpeg.dll with Binary Ninja
3CX Backdoor

2023-04-01 ⋅ Github (dodo-sec) ⋅ dodo-sec
SmoothOperator
3CX Backdoor

2023-03-31 ⋅ cyble ⋅ Cyble
A Comprehensive Analysis of the 3CX Attack
3CX Backdoor

2023-03-31 ⋅ Group-IB ⋅ Group-IB
36gate: supply chain attack
3CX Backdoor

2023-03-31 ⋅ vmware ⋅ Threat Analysis Unit
Investigating 3CX Desktop Application Attacks: What You Need to Know
3CX Backdoor

2023-03-31 ⋅ Reversing Labs ⋅ Karlo Zanki
Red flags flew over software supply chain-compromised 3CX update
3CX Backdoor

2023-03-31 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Initial Implants and Network Analysis Suggest the 3CX Supply Chain Operation Goes Back to Fall 2022
3CX Backdoor

2023-03-31 ⋅ splunk ⋅ Splunk Threat Research Team
Splunk Insights: Investigating the 3CXDesktopApp Supply Chain Compromise
3CX Backdoor

2023-03-31 ⋅ Zscaler ⋅ Meghraj Nandanwar, Niraj Shivtarkar, Rohit Hegde
3CX Supply Chain Attack Campaign Campaign Analysis
3CX Backdoor

2023-03-30 ⋅ Rapid7 Labs ⋅ Rapid7
Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign
3CX Backdoor

2023-03-30 ⋅ Huntress Labs ⋅ John Hammond
3CX VoIP Software Compromise & Supply Chain Threats
3CX Backdoor

2023-03-30 ⋅ Cado Security ⋅ Cado Security
Forensic Triage of a Windows System running the Backdoored 3CX Desktop App
3CX Backdoor

2023-03-30 ⋅ CrowdStrike ⋅ CS ENGINEER
2023-03-29 // SITUATIONAL AWARENESS // CrowdStrike Tracking Active Intrusion Campaign Targeting 3CX Customers
3CX Backdoor

2023-03-30 ⋅ Fortiguard ⋅ FortiGuard Labs
3CX Desktop App Compromised (CVE-2023-29059)
3CX Backdoor

2023-03-30 ⋅ Symantec ⋅ Threat Hunter Team
3CX: Supply Chain Attack Affects Thousands of Users Worldwide
3CX Backdoor IconicStealer

2023-03-30 ⋅ OALabs ⋅ Sergei Frankoff
3CX Supply Chain Attack
3CX Backdoor

2023-03-30 ⋅ Elastic ⋅ Daniel Stepanic, Devon Kerr, Joe Desimone, Remco Sprooten, Samir Bousseaden
Elastic users protected from SUDDENICON’s supply chain attack
3CX Backdoor

2023-03-30 ⋅ Trend Micro ⋅ Trend Micro Research
Developing Story: Information on Attacks Involving 3CX Desktop App
3CX Backdoor IconicStealer

2023-03-30 ⋅ Volexity ⋅ Ankur Saini, Callum Roxan, Charlie Gardner, Paul Rascagnères, Steven Adair, Thomas Lancaster
3CX Supply Chain Compromise Leads to ICONIC Incident
3CX Backdoor IconicStealer

2023-03-29 ⋅ CrowdStrike ⋅ Research & Threat Intel
CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers
3CX Backdoor

2023-03-29 ⋅ SentinelOne ⋅ Juan Andrés Guerrero-Saade
SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack
3CX Backdoor

Yara Rules

[TLP:WHITE] win_3cx_backdoor_auto (20251219 | Detects win.3cx_backdoor.)

rule win_3cx_backdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.3cx_backdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c8d442420 488d4d98 e8???????? 488bf8 488d542478 498bce e8???????? }
            // n = 7, score = 100
            //   4c8d442420           | ja                  0x1fc1
            //   488d4d98             | dec                 esp
            //   e8????????           |                     
            //   488bf8               | mov                 dword ptr [ebp - 0x38], edi
            //   488d542478           | movdqu              xmmword ptr [ebp - 0x28], xmm0
            //   498bce               | mov                 byte ptr [ebp - 0x38], 0
            //   e8????????           |                     

        $sequence_1 = { 488b4d8f 4c8d05b77c0300 41b920000000 c744242000000000 488d15c27c0300 ff15???????? }
            // n = 6, score = 100
            //   488b4d8f             | dec                 eax
            //   4c8d05b77c0300       | lea                 ecx, [ebp + 0x58]
            //   41b920000000         | je                  0x513
            //   c744242000000000     | dec                 eax
            //   488d15c27c0300       | mov                 ecx, dword ptr [ecx + 0x10]
            //   ff15????????         |                     

        $sequence_2 = { 41b8ffffffff 488bd6 ff15???????? ba25000000 8d4a1b }
            // n = 5, score = 100
            //   41b8ffffffff         | mov                 dword ptr [esp + 0x20], ebx
            //   488bd6               | nop                 
            //   ff15????????         |                     
            //   ba25000000           | dec                 eax
            //   8d4a1b               | lea                 ecx, [ebx + 0x40]

        $sequence_3 = { 0f87ff010000 c1e60a 81c60024a0fc 03f0 eb11 8d860024ffff }
            // n = 6, score = 100
            //   0f87ff010000         | jne                 0x10
            //   c1e60a               | dec                 eax
            //   81c60024a0fc         | add                 eax, ecx
            //   03f0                 | dec                 eax
            //   eb11                 | mov                 dword ptr [esp + 0x40], ecx
            //   8d860024ffff         | dec                 eax

        $sequence_4 = { 488bd7 498bcd e8???????? 498bc4 4c8d5c2450 498b5b40 }
            // n = 6, score = 100
            //   488bd7               | mov                 al, 1
            //   498bcd               | dec                 eax
            //   e8????????           |                     
            //   498bc4               | mov                 ecx, dword ptr [ebp + 0x37]
            //   4c8d5c2450           | dec                 eax
            //   498b5b40             | xor                 ecx, esp

        $sequence_5 = { 488d0547ac0100 4a8b04f8 42f644e83801 7515 e8???????? c70009000000 e8???????? }
            // n = 7, score = 100
            //   488d0547ac0100       | dec                 eax
            //   4a8b04f8             | mov                 dword ptr [ebp - 0x50], eax
            //   42f644e83801         | dec                 eax
            //   7515                 | lea                 eax, [ebp - 0x20]
            //   e8????????           |                     
            //   c70009000000         | movups              xmmword ptr [esp + 0x60], xmm0
            //   e8????????           |                     

        $sequence_6 = { 7424 488b4308 44386019 7515 6690 483b5810 750d }
            // n = 7, score = 100
            //   7424                 | inc                 ecx
            //   488b4308             | push                esi
            //   44386019             | dec                 eax
            //   7515                 | sub                 esp, 0x30
            //   6690                 | mov                 ebp, edx
            //   483b5810             | dec                 eax
            //   750d                 | mov                 edi, ecx

        $sequence_7 = { 488bc8 e8???????? 4889751f 4889752f 48897537 }
            // n = 5, score = 100
            //   488bc8               | and                 ecx, 0xf
            //   e8????????           |                     
            //   4889751f             | dec                 edx
            //   4889752f             | movsx               eax, byte ptr [ecx + esi + 0x32540]
            //   48897537             | inc                 edx

        $sequence_8 = { e8???????? 85c0 0f85cd100000 e9???????? 4c8d050bae0000 ebdb 4c8d05faad0000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | dec                 esp
            //   0f85cd100000         | cmovb               eax, edx
            //   e9????????           |                     
            //   4c8d050bae0000       | dec                 ecx
            //   ebdb                 | mov                 edx, ecx
            //   4c8d05faad0000       | test                eax, eax

        $sequence_9 = { 83b96804000002 0f8406020000 bd20000000 4c8d35e1510100 488b4310 }
            // n = 5, score = 100
            //   83b96804000002       | dec                 eax
            //   0f8406020000         | mov                 eax, edi
            //   bd20000000           | dec                 eax
            //   4c8d35e1510100       | mov                 edx, esi
            //   488b4310             | dec                 ebp

    condition:
        7 of them and filesize < 585728
}

[TLP:WHITE] win_3cx_backdoor_w0 (20230331 | Detects 3CX installers created in March 2023, 3CX was known to be compromised at this time.)

rule win_3cx_backdoor_w0 {
    meta:
        author = "threatintel@volexity.com"
        date = "2023-03-30"
        description = "Detects 3CX installers created in March 2023, 3CX was known to be compromised at this time."
        hash1 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868"
        reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
        memory_suitable = 0
        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor"
        malpedia_version = "20230331"
        malpedia_rule_date = "20230331"
        malpedia_hash = ""
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
    strings:
        $cert =  { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }
        $app = "3CXDesktopApp.exe"
        $data = "202303"

    condition:
        all of them
}

[TLP:WHITE] win_3cx_backdoor_w1 (20230331 | Detection of malicious ICO files used in 3CX compromise.)

rule win_3cx_backdoor_w1 {
    meta:
        author = "threatintel@volexity.com"
        description = "Detection of malicious ICO files used in 3CX compromise."
        date = "2023-03-30"
        hash1 = "a541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c"
        memory_suitable = 0
        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor"
        malpedia_version = "20230331"
        malpedia_rule_date = "20230331"
        malpedia_hash = ""
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
    strings:
        $IEND_dollar = {49 45 4e 44 ae 42 60 82 24} // IEND.B`.$
        $IEND_nodollar = {49 45 4e 44 ae 42 60 82 } // IEND.B`.

    condition:
        uint16be(0) == 0x0000 and
        filesize < 120KB and
        (
            $IEND_dollar in (filesize-500..filesize) and not
            $IEND_nodollar in (filesize-20..filesize) and
            for any k in (1..#IEND_dollar):
                (
                for all i in (1..4):
                    (
                        // in range [0-9a-zA-Z]
                        uint8(@IEND_dollar[k]+!IEND_dollar[k] + i ) < 123 and
                        uint8(@IEND_dollar[k]+!IEND_dollar[k] + i) > 47
                    )
                )
        )
}

Download all Yara Rules

3CX Backdoor Propose Change

References

Yara Rules

3CX Backdoor