3CX Backdoor (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.3cx_backdoor (Back to overview)

3CX Backdoor

aka: SUDDENICON

Actor(s): Lazarus Group

VTCollection

According to CrowdStrike, this backdoor was discovered being embedded in a legitimate, signed version of 3CXDesktopApp, and thus constitutes a supply chain attack.

References

2023-10-04 ⋅ Virus Bulletin ⋅ Peter Kálnai
Lazarus Campaigns and Backdoors in 2022-23
SimpleTea POOLRAT 3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SecondHandTea SnatchCrypto wAgentTea WebbyTea WinInetLoader

2023-08-30 ⋅ Kaspersky Labs ⋅ David Emm
IT threat evolution in Q2 2023
3CX Backdoor Bankshot BLINDINGCAN GoldMax Kazuar QUIETCANARY tomiris GoldenJackal

2023-04-20 ⋅ ESET Research ⋅ Marc-Etienne M.Léveillé, Peter Kálnai
Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack
BADCALL SimpleTea POOLRAT 3CX Backdoor BADCALL IconicStealer

2023-04-03 ⋅ Youtube (MalwareAnalysisForHedgehogs) ⋅ Karsten Hahn
Malware Analysis - 3CX SmoothOperator ffmpeg.dll with Binary Ninja
3CX Backdoor

2023-04-01 ⋅ Github (dodo-sec) ⋅ dodo-sec
SmoothOperator
3CX Backdoor

2023-03-31 ⋅ cyble ⋅ Cyble
A Comprehensive Analysis of the 3CX Attack
3CX Backdoor

2023-03-31 ⋅ Group-IB ⋅ Group-IB
36gate: supply chain attack
3CX Backdoor

2023-03-31 ⋅ vmware ⋅ Threat Analysis Unit
Investigating 3CX Desktop Application Attacks: What You Need to Know
3CX Backdoor

2023-03-31 ⋅ Reversing Labs ⋅ Karlo Zanki
Red flags flew over software supply chain-compromised 3CX update
3CX Backdoor

2023-03-31 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Initial Implants and Network Analysis Suggest the 3CX Supply Chain Operation Goes Back to Fall 2022
3CX Backdoor

2023-03-31 ⋅ splunk ⋅ Splunk Threat Research Team
Splunk Insights: Investigating the 3CXDesktopApp Supply Chain Compromise
3CX Backdoor

2023-03-31 ⋅ Zscaler ⋅ Meghraj Nandanwar, Niraj Shivtarkar, Rohit Hegde
3CX Supply Chain Attack Campaign Campaign Analysis
3CX Backdoor

2023-03-30 ⋅ Rapid7 Labs ⋅ Rapid7
Backdoored 3CXDesktopApp Installer Used in Active Threat Campaign
3CX Backdoor

2023-03-30 ⋅ Huntress Labs ⋅ John Hammond
3CX VoIP Software Compromise & Supply Chain Threats
3CX Backdoor

2023-03-30 ⋅ Cado Security ⋅ Cado Security
Forensic Triage of a Windows System running the Backdoored 3CX Desktop App
3CX Backdoor

2023-03-30 ⋅ CrowdStrike ⋅ CS ENGINEER
2023-03-29 // SITUATIONAL AWARENESS // CrowdStrike Tracking Active Intrusion Campaign Targeting 3CX Customers
3CX Backdoor

2023-03-30 ⋅ Fortiguard ⋅ FortiGuard Labs
3CX Desktop App Compromised (CVE-2023-29059)
3CX Backdoor

2023-03-30 ⋅ Symantec ⋅ Threat Hunter Team
3CX: Supply Chain Attack Affects Thousands of Users Worldwide
3CX Backdoor IconicStealer

2023-03-30 ⋅ OALabs ⋅ Sergei Frankoff
3CX Supply Chain Attack
3CX Backdoor

2023-03-30 ⋅ Elastic ⋅ Daniel Stepanic, Devon Kerr, Joe Desimone, Remco Sprooten, Samir Bousseaden
Elastic users protected from SUDDENICON’s supply chain attack
3CX Backdoor

2023-03-30 ⋅ Trend Micro ⋅ Trend Micro Research
Developing Story: Information on Attacks Involving 3CX Desktop App
3CX Backdoor IconicStealer

2023-03-30 ⋅ Volexity ⋅ Ankur Saini, Callum Roxan, Charlie Gardner, Paul Rascagnères, Steven Adair, Thomas Lancaster
3CX Supply Chain Compromise Leads to ICONIC Incident
3CX Backdoor IconicStealer

2023-03-29 ⋅ CrowdStrike ⋅ Research & Threat Intel
CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers
3CX Backdoor

2023-03-29 ⋅ SentinelOne ⋅ Juan Andrés Guerrero-Saade
SmoothOperator | Ongoing Campaign Trojanizes 3CXDesktopApp in Supply Chain Attack
3CX Backdoor

Yara Rules

[TLP:WHITE] win_3cx_backdoor_auto (20260504 | Detects win.3cx_backdoor.)

rule win_3cx_backdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.3cx_backdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 747f 4c8d7027 4983e6e0 498946f8 eb0b 488bcb e8???????? }
            // n = 7, score = 100
            //   747f                 | inc                 edx
            //   4c8d7027             | dec                 eax
            //   4983e6e0             | mov                 ecx, dword ptr [ebp - 0x38]
            //   498946f8             | dec                 eax
            //   eb0b                 | mov                 eax, ecx
            //   488bcb               | dec                 eax
            //   e8????????           |                     

        $sequence_1 = { e8???????? 448bac24d0000000 488bf8 452be5 660f1f440000 e8???????? 33d2 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   448bac24d0000000     | dec                 eax
            //   488bf8               | lea                 ecx, [ebp + 0x1c0]
            //   452be5               | movups              xmm0, xmmword ptr [eax]
            //   660f1f440000         | movups              xmmword ptr [esp + 0x50], xmm0
            //   e8????????           |                     
            //   33d2                 | movups              xmm1, xmmword ptr [eax + 0x10]

        $sequence_2 = { e8???????? 4c897de8 4c897df8 4c897d00 0f1000 0f1145e8 0f104810 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4c897de8             | ja                  0xc13
            //   4c897df8             | dec                 eax
            //   4c897d00             | lea                 eax, [edx + ecx]
            //   0f1000               | dec                 ebp
            //   0f1145e8             | mov                 esi, ecx
            //   0f104810             | dec                 eax

        $sequence_3 = { c1e116 4d03c2 33c1 458bd0 4c0fafd7 418d0c10 49c1e820 }
            // n = 7, score = 100
            //   c1e116               | mov                 dword ptr [eax + 0x3a8], edx
            //   4d03c2               | dec                 eax
            //   33c1                 | mov                 eax, dword ptr [ebp - 0x28]
            //   458bd0               | dec                 eax
            //   4c0fafd7             | mov                 dword ptr [eax + 0x88], ecx
            //   418d0c10             | lea                 ecx, [edx + 0x42]
            //   49c1e820             | dec                 eax

        $sequence_4 = { 49894808 48894508 488d4d08 e9???????? 488b78f8 803f02 7534 }
            // n = 7, score = 100
            //   49894808             | mov                 eax, dword ptr [eax + 8]
            //   48894508             | dec                 eax
            //   488d4d08             | mov                 ecx, dword ptr [ebp + 0x150]
            //   e9????????           |                     
            //   488b78f8             | dec                 ecx
            //   803f02               | mov                 dword ptr [eax + 8], ecx
            //   7534                 | dec                 eax

        $sequence_5 = { 0f85c7000000 48897c2430 48897c2440 4c89742448 41b804000000 488d1595820300 488d4c2430 }
            // n = 7, score = 100
            //   0f85c7000000         | dec                 eax
            //   48897c2430           | lea                 edx, [0x362a8]
            //   48897c2440           | dec                 eax
            //   4c89742448           | lea                 ecx, [ebp + 0x80]
            //   41b804000000         | nop                 
            //   488d1595820300       | nop                 
            //   488d4c2430           | dec                 eax

        $sequence_6 = { 4d8d143f 660f1f440000 0fb642f8 4188441208 488b02 4989441210 c642f800 }
            // n = 7, score = 100
            //   4d8d143f             | dec                 eax
            //   660f1f440000         | add                 eax, -8
            //   0fb642f8             | dec                 eax
            //   4188441208           | cmp                 eax, 0x1f
            //   488b02               | ja                  0x1ed3
            //   4989441210           | dec                 eax
            //   c642f800             | add                 edx, 0x27

        $sequence_7 = { c3 488364242000 4c8d05c9b00100 41b9db010000 488d152cb10100 488d0d85b10100 }
            // n = 6, score = 100
            //   c3                   | add                 edx, 0x12d687
            //   488364242000         | add                 cl, al
            //   4c8d05c9b00100       | dec                 ecx
            //   41b9db010000         | shr                 edx, 0x20
            //   488d152cb10100       | dec                 ecx
            //   488d0d85b10100       | mov                 esp, ebx

        $sequence_8 = { 488d1549d6feff 4803ca 813950450000 755f b80b020000 66394118 7554 }
            // n = 7, score = 100
            //   488d1549d6feff       | shl                 ecx, 5
            //   4803ca               | add                 cl, al
            //   813950450000         | inc                 ecx
            //   755f                 | mov                 byte ptr [ebx + 2], cl
            //   b80b020000           | mov                 ecx, eax
            //   66394118             | shl                 ecx, 5
            //   7554                 | xor                 eax, ecx

        $sequence_9 = { 0f1000 0f11450f 0f104810 0f114d1f 4c897010 48c740180f000000 }
            // n = 6, score = 100
            //   0f1000               | test                eax, eax
            //   0f11450f             | jne                 0x211
            //   0f104810             | dec                 eax
            //   0f114d1f             | lea                 edx, [0x38295]
            //   4c897010             | dec                 eax
            //   48c740180f000000     | lea                 ecx, [esp + 0x30]

    condition:
        7 of them and filesize < 585728
}

[TLP:WHITE] win_3cx_backdoor_w0 (20230331 | Detects 3CX installers created in March 2023, 3CX was known to be compromised at this time.)

rule win_3cx_backdoor_w0 {
    meta:
        author = "threatintel@volexity.com"
        date = "2023-03-30"
        description = "Detects 3CX installers created in March 2023, 3CX was known to be compromised at this time."
        hash1 = "aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868"
        reference = "https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/"
        memory_suitable = 0
        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor"
        malpedia_version = "20230331"
        malpedia_rule_date = "20230331"
        malpedia_hash = ""
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
    strings:
        $cert =  { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }
        $app = "3CXDesktopApp.exe"
        $data = "202303"

    condition:
        all of them
}

[TLP:WHITE] win_3cx_backdoor_w1 (20230331 | Detection of malicious ICO files used in 3CX compromise.)

rule win_3cx_backdoor_w1 {
    meta:
        author = "threatintel@volexity.com"
        description = "Detection of malicious ICO files used in 3CX compromise."
        date = "2023-03-30"
        hash1 = "a541e5fc421c358e0a2b07bf4771e897fb5a617998aa4876e0e1baa5fbb8e25c"
        memory_suitable = 0
        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.3cx_backdoor"
        malpedia_version = "20230331"
        malpedia_rule_date = "20230331"
        malpedia_hash = ""
        malpedia_license = ""
        malpedia_sharing = "TLP:WHITE"
    strings:
        $IEND_dollar = {49 45 4e 44 ae 42 60 82 24} // IEND.B`.$
        $IEND_nodollar = {49 45 4e 44 ae 42 60 82 } // IEND.B`.

    condition:
        uint16be(0) == 0x0000 and
        filesize < 120KB and
        (
            $IEND_dollar in (filesize-500..filesize) and not
            $IEND_nodollar in (filesize-20..filesize) and
            for any k in (1..#IEND_dollar):
                (
                for all i in (1..4):
                    (
                        // in range [0-9a-zA-Z]
                        uint8(@IEND_dollar[k]+!IEND_dollar[k] + i ) < 123 and
                        uint8(@IEND_dollar[k]+!IEND_dollar[k] + i) > 47
                    )
                )
        )
}

Download all Yara Rules

3CX Backdoor Propose Change

References

Yara Rules

3CX Backdoor