Reports
APT PROFILE SUPPLY CHAIN

Lazarus Group: Threat Actor Profile & 3CX Supply Chain Attack — Full Technical Analysis

📅 2026-07-01 ⏱ 40 MIN READ ✍ SalahEldin Fikri (Mr_MaTriX) CRITICAL
A complete profile of the Lazarus Group — the North Korean state-sponsored APT behind the Bybit heist, WannaCry, and the Bangladesh Bank SWIFT fraud — followed by a full technical breakdown of the 3CX supply chain attack. The analysis traces the intrusion from the X_TRADER initial compromise through the trojanized 3CX Desktop App, the malicious ffmpeg.dll loader, the GitHub-hosted dead-drop resolver, and the VEILEDSIGNAL backdoor, ending with a consolidated IOC set and MITRE ATT&CK mapping.

1. Threat Actor Profile — Overview

Lazarus Group threat actor profile banner

Lazarus Group

Lazarus Group is a highly sophisticated Advanced Persistent Threat (APT) group widely recognized for conducting cyber espionage, financially motivated cybercrime, and destructive cyber operations. Active since at least 2009, the group has targeted governments, financial institutions, cryptocurrency platforms, defense contractors, software vendors, healthcare organizations, and critical infrastructure across the globe.

Over the past decade, Lazarus has demonstrated exceptional technical capabilities by developing custom malware families, conducting complex supply chain compromises, exploiting zero-day vulnerabilities, and executing large-scale financial theft campaigns. Unlike many threat actors that specialize in a single objective, Lazarus conducts operations spanning espionage, sabotage, ransomware deployment, and cryptocurrency theft, making it one of the most versatile and persistent nation-state threat groups currently active.

The group's operations continue to evolve alongside advancements in cybersecurity defenses. Lazarus frequently updates its malware, command-and-control infrastructure, and operational techniques to evade detection and maintain long-term access to compromised environments.

2. Aliases

Due to independent tracking by multiple cybersecurity vendors and government agencies, Lazarus Group is known under several aliases. Although the naming conventions differ between organizations, these aliases generally refer to the same threat actor or closely related operational clusters.

Diagram of Lazarus Group aliases across vendors and agencies

Figure: Cross-vendor alias mapping for Lazarus Group

ORGANIZATION ALIAS
MITRE ATT&CK Lazarus Group (G0032)
Microsoft Diamond Sleet (formerly DEV-0056 / ZINC)
CISA / US Government Hidden Cobra
Kaspersky Lazarus
ESET Lazarus
CrowdStrike Labyrinth Chollima
Mandiant / Google Threat Intelligence UNC and cluster-specific designations for particular campaigns
Malpedia APT38, APT-C-26, ATK117, ATK3, Alluring Pisces, Andariel, Appleworm, BeagleBoyz, Black Artemis

Certain financially motivated operations are also tracked separately under names such as APT38, while specific operational subgroups — including Andariel and BlueNoroff — are often analyzed independently because of their specialized missions and malware toolsets.

3. Attribution

Lazarus Group is widely attributed to the Democratic People's Republic of Korea (DPRK) and is assessed by numerous governments and cybersecurity organizations to operate in support of North Korean strategic interests. This attribution is based on years of technical analysis, intelligence reporting, and the correlation of operational behaviors across multiple campaigns.

Evidence supporting this attribution includes:

While attribution in cyberspace is inherently challenging, the collective body of technical and intelligence evidence provides a high level of confidence that Lazarus operates as a North Korean state-sponsored threat actor.

FBI WANTED poster for Park Jin Hyok
// THREAT INTELLIGENCE — FBI ATTRIBUTION
FBI Indicts Park Jin Hyok

The FBI formally indicted Park Jin Hyok, a North Korean operative linked to Lazarus Group, for conspiracy to commit wire fraud and computer-related fraud. The indictment attributes his involvement to several high-profile cyber operations, including the Sony Pictures attack, the WannaCry ransomware outbreak, and multiple cryptocurrency theft campaigns.

Publicly attributed financial operations include the $81M Bangladesh Bank heist, $625M Axie Infinity compromise, $100M Harmony Bridge theft, $41M Stake breach, and the $1.5B Bybit compromise, demonstrating Lazarus Group's continued focus on funding state-sponsored operations through cyber-enabled financial theft.

Source: Cointelegraph • Feb 25, 2025
Mandiant Greg Sinclair naming Lazarus Group
// ATTRIBUTION — ORIGIN OF THE NAME

The Lazarus Group name was coined by Greg Sinclair, a reverse engineer from Google's FLARE team. While reverse engineering malware samples tied to a series of attacks, Sinclair found shared code and fingerprints across seemingly unrelated incidents, linking them to a single North Korean threat actor. His work established the forensic foundation for what is now recognized as one of the most active nation-state APTs in the world.

Source: Mandiant (Google Cloud) · @Mandiant · Jun 27, 2025

4. Historical Timeline

The operational history of Lazarus Group illustrates a gradual evolution from regional cyber espionage campaigns to globally significant cyber operations targeting governments, financial institutions, and cryptocurrency ecosystems.

YEAR ACTIVITY
2009–2013 Early cyber espionage and disruptive operations primarily targeting South Korean government agencies, media organizations, and financial institutions.
2014 Conducted the destructive cyberattack against Sony Pictures Entertainment, gaining worldwide attention.
2015 Expanded malware development and reconnaissance operations targeting defense contractors and government organizations.
2016 Attempted the Bangladesh Bank SWIFT heist, seeking to steal nearly one billion US dollars through fraudulent international transactions.
2017 Linked to the global WannaCry ransomware outbreak that impacted hundreds of thousands of systems across more than 150 countries.
2018–2020 Increased focus on cryptocurrency exchanges, digital asset platforms, and blockchain companies through campaigns such as AppleJeus and APT38 operations.
2021–2022 Continued targeting cryptocurrency organizations, software developers, and defense industries while introducing new malware variants and advanced social engineering techniques.
2023–Present Conducted sophisticated supply chain attacks, software compromises, and financially motivated operations targeting cryptocurrency companies and enterprise software vendors.

This progression demonstrates Lazarus Group's ability to rapidly adapt its objectives and technical capabilities in response to evolving geopolitical priorities and emerging technologies.

5. Objectives & Motivation

Lazarus Group conducts cyber operations that support multiple strategic objectives rather than focusing on a single mission. Its activities generally fall into three primary categories: cyber espionage, financial theft, and disruptive operations.

Financially motivated campaigns have become increasingly prominent in recent years, with the group targeting banks, cryptocurrency exchanges, decentralized finance (DeFi) platforms, and blockchain organizations to generate revenue. These operations are widely believed to support North Korea's efforts to obtain foreign currency despite international economic sanctions.

In parallel, Lazarus continues to conduct intelligence-gathering operations against government agencies, military organizations, defense contractors, research institutions, and technology companies. These campaigns are designed to collect sensitive information, support strategic decision-making, and maintain long-term access to targeted networks.

The group has also demonstrated the capability to conduct destructive cyberattacks, deploy ransomware, compromise software supply chains, and execute complex social engineering campaigns. This diverse operational portfolio distinguishes Lazarus from many other threat actors and reflects a mature organization capable of adapting its techniques to achieve a wide range of strategic objectives.

Lazarus Group 2025 crypto theft portfolio totaling $1.66B
// FINANCIAL IMPACT — 2025 OPERATIONS

In 2025 alone, Lazarus Group was responsible for an estimated $1.66 billion in confirmed or suspected cryptocurrency theft — accounting for approximately 60% of all crypto stolen globally that year. Major incidents include the Bybit multisig social engineering attack ($1.4B, FBI confirmed), Phemex hot wallet drain ($73M), BtcTurk private key leak ($48M), CoinDCX server compromise ($44M), and several others. This scale of financially motivated activity underscores the group's central role in funding North Korean state operations.

Source: @0x3b33 (Pyro) · Apr 5, 2025

6. Campaigns

Lazarus Group has conducted numerous cyber operations spanning financial theft, cyber espionage, ransomware, and supply chain compromises. Over the years, the group's campaigns have evolved from primarily targeting government organizations in East Asia to conducting global operations against financial institutions, cryptocurrency exchanges, software vendors, and technology companies. The following summarizes the most significant publicly reported campaigns attributed to Lazarus Group, beginning with the most recent.

Bybit Cryptocurrency Heist (2025)

In February 2025, Lazarus Group was attributed to the compromise of the cryptocurrency exchange Bybit, resulting in the theft of approximately 1.5 billion USD in Ethereum-related assets. The incident is regarded as the largest cryptocurrency theft publicly reported to date.

Investigations indicated that the attackers compromised elements of the transaction-signing workflow associated with third-party wallet infrastructure, enabling fraudulent transactions to be approved while appearing legitimate. Following the theft, the stolen assets were rapidly moved through multiple wallets and laundering services to hinder recovery efforts.

Objectives: Cryptocurrency theft · Supply chain compromise · Financial gain · Cryptocurrency laundering

On-chain fund flow diagram of the Bybit exploit, TRM Labs

Figure: On-chain tracing of stolen Bybit funds moving through exploiter wallets (TRM Labs)

Bitrefill hack linked to Lazarus Group
// INTEL — ONGOING FINANCIAL TARGETING (2025)

The Lazarus Group's financial campaigns continued beyond Bybit, with the group reportedly breaching Bitrefill, draining hot wallets and compromising information belonging to approximately 18,500 customers. The operation is consistent with Lazarus's pattern of targeting cryptocurrency infrastructure through insider-aware attack methods. The same FBI WANTED poster for Park Jin Hyok was displayed at a press conference announcing related indictments.

Source: @Cryptotea · Mar 18, 2025

Open-Source Package Supply Chain Campaigns (2025–Present)

Lazarus Group expanded its software supply chain operations by publishing malicious packages to popular open-source ecosystems such as npm and PyPI. These packages impersonated legitimate libraries or were distributed through malicious GitHub repositories targeting developers.

The malware primarily targeted developers working on cryptocurrency, blockchain, and Web3 projects. Once installed, the packages deployed backdoors, harvested credentials, and established persistent access to developer workstations.

Lazarus Group hiding inside npm dependencies
// INTEL — NPM SUPPLY CHAIN (2025)

Researchers identified Lazarus Group hiding inside npm dependencies disguised as Rollup polyfill tools. Once silently installed, the malicious packages perform sandbox checks, establish full remote access, and steal SSH keys, cryptocurrency wallets, and cloud config files (Claude/AWS configs). The end-to-end flow: silent install → dropper (JSONKeeper eval) → encrypted C2 fetch/decode → browser theft (logins & wallets) → file collection (secrets and histories). Seven supply chain attacks of this type were discovered in a single week.

Source: @CyberOps_I9801 (TeamCyberOps) · 2025

Objectives: Supply chain compromise · Developer workstation compromise · Credential theft · Initial access to enterprise networks

Contagious Interview Campaign (2024–Present)

The Contagious Interview campaign targets software developers, cybersecurity professionals, and cryptocurrency employees using fake recruiter profiles on platforms including LinkedIn, Telegram, and X.

Victims are invited to complete coding challenges or technical interviews using malicious projects hosted on GitHub or other code-sharing platforms. Executing the supplied projects installs malware capable of stealing credentials, collecting sensitive information, and providing remote access to compromised systems.

Objectives: Social engineering · Initial access · Credential theft · Compromise of software developers

Fake recruiter profile on X used in the Contagious Interview campaign

Figure: Fake recruiter profile ("Onder Kayabasi") advertising blockchain developer roles on X, used to lure victims into the Contagious Interview campaign

"Mach-O Man" macOS Malware Campaign (2025)

A 2025 Lazarus campaign targeted macOS users through a trojanized video conferencing application update. The malware kit, dubbed PyLangGhostRAT, is a Python-based remote access trojan — a port of the original Go-based GhostRAT — distributed via ClickFix-style social engineering that tricks users into approving a fake "Update Completed" installation dialog.

Once installed, the malware establishes persistent remote access, enabling credential theft, file collection, and long-term surveillance of macOS workstations. The campaign marks a continued expansion of Lazarus's targeting beyond Windows environments.

Lazarus Mach-O Man macOS malware kit campaign
// INTEL — MACOS CAMPAIGN (APR 2025)

Researchers reported a new Lazarus APT campaign: "Mach-O Man" distributing PyLangGhostRAT, a Python-based vibe-ported version of the original Go-based RAT using ClickFix attacks. The malware disguises itself as a Teams application update on macOS, then establishes a full C2 channel visible in the Any.run sandbox analysis. The campaign targets macOS business users and represents Lazarus's active investment in cross-platform malware development.

Source: @5mukx (Smukx.E) · Apr 22, 2025

Objectives: Remote access · Credential theft · Surveillance · macOS platform expansion

Fake IT Worker Campaign (2024–Present)

Diagram of how North Korean IT workers carry out their scheme, Google Cloud

Figure: How North Korean IT workers carry out the fake-employment scheme (Google Cloud)

Lazarus Group has also been linked to campaigns in which North Korean operatives pose as remote software engineers seeking employment with international technology companies. After obtaining legitimate employment, they gain trusted access to corporate environments where they can steal intellectual property, deploy malware, or generate revenue for the North Korean regime.

Unlike traditional cyberattacks, this operation combines identity fraud, insider access, and cyber intrusion techniques, making it particularly difficult to detect.

Objectives: Insider access · Intellectual property theft · Financial gain · Long-term enterprise access

WazirX Cryptocurrency Exchange Attack (2024)

In July 2024, the Indian cryptocurrency exchange WazirX suffered a security breach that resulted in the theft of approximately 235 million USD in digital assets. Public blockchain investigations linked the operation to Lazarus Group.

The attackers compromised wallet infrastructure before laundering the stolen cryptocurrency through multiple blockchain transactions and cryptocurrency mixing services.

Objectives: Cryptocurrency theft · Financial gain · Cryptocurrency laundering

WazirX security breach headline graphic

Figure: WazirX security breach coverage following the 2024 exchange compromise

3CX Supply Chain Attack (2023)

The compromise of the 3CX Desktop Application represented one of Lazarus Group's most sophisticated software supply chain attacks. By infiltrating the software development process, the attackers distributed digitally signed malicious updates to thousands of organizations worldwide. The campaign demonstrated Lazarus's ability to abuse trusted software distribution channels to obtain initial access into downstream enterprise environments. This campaign is analyzed in full technical detail in the sections below.

Objectives: Supply chain compromise · Malware distribution · Intelligence collection · Long-term persistence

3CX supply chain attack flow diagram, Sophos

Figure: End-to-end 3CX supply chain attack flow, from build server compromise to in-memory payload delivery (Sophos)

Operation AppleJeus (2018–Present)

Operation AppleJeus targeted cryptocurrency users through trojanized cryptocurrency trading applications masquerading as legitimate investment software. Victims who installed these applications unknowingly deployed malware capable of collecting sensitive information, maintaining persistence, and stealing cryptocurrency assets from infected systems.

Objectives: Cryptocurrency theft · Credential harvesting · Remote access · Financial gain

AppleJeus .NET loader and C2 architecture diagram

Figure: AppleJeus loader and C2 architecture — encrypted config files loaded by a .NET loader, with a port opener and tunneling tool enabling remote command and control

WannaCry Ransomware (2017)

The WannaCry ransomware outbreak spread rapidly across more than 150 countries by exploiting the EternalBlue (MS17-010) SMB vulnerability. The malware encrypted victim systems and demanded cryptocurrency payments for decryption. Although the financial return was relatively modest, the attack caused widespread disruption to hospitals, government agencies, educational institutions, and private organizations around the world.

Objectives: Ransomware deployment · Rapid worm propagation · Operational disruption

WannaCry Wana Decrypt0r 2.0 ransom note

Figure: The WannaCry "Wana Decrypt0r 2.0" ransom note displayed on infected systems

Bangladesh Bank Heist (2016)

Lazarus Group compromised Bangladesh Bank's internal network and abused the SWIFT banking system to initiate fraudulent international money transfers totaling nearly one billion US dollars. Although most transactions were blocked, approximately 81 million USD was successfully transferred before the fraud was detected, making it one of the most significant cyber-enabled financial thefts ever recorded.

Objectives: Financial theft · SWIFT fraud · Banking infrastructure compromise

Bangladesh Bank Heist 2016 SWIFT fraud illustration

Figure: The 2016 Bangladesh Bank heist abused the SWIFT interbank messaging system to move stolen funds

On-chain analysis of Lazarus Group moving $63.5M Harmony bridge funds through Railgun
// INTEL — CRYPTOCURRENCY LAUNDERING (JAN 2023)

Blockchain investigator ZachXBT documented Lazarus Group moving approximately $63.5M (~41,000 ETH) from the Harmony bridge hack through the Railgun privacy protocol before consolidating funds into three separate exchanges. The on-chain analysis revealed a complex multi-hop laundering pattern: Tornado Cash withdrawals → Railgun deposits → Railgun withdrawals → consolidation wallets → exchange deposits across three separate exchanges. This visualization illustrates the group's sophisticated cryptocurrency laundering infrastructure and tradecraft.

Source: @zachxbt (ZachXBT) · Jan 16, 2023

Sony Pictures Attack (2014)

The cyberattack against Sony Pictures Entertainment marked one of the first operations to bring Lazarus Group to international attention. The attackers stole confidential corporate data, leaked internal communications, and deployed destructive malware that permanently damaged thousands of systems. The campaign demonstrated Lazarus Group's ability to conduct long-term network intrusions followed by coordinated destructive attacks against enterprise environments.

Objectives: Data theft · Corporate disruption · Destructive malware deployment · Psychological impact

Hacked By #GOP message displayed on Sony Pictures workstations

Figure: The "Hacked By #GOP" message displayed on compromised Sony Pictures workstations during the 2014 attack

7. Sample Analysis — 3CX Supply Chain Attack Campaign

3CX supply chain attack illustration

The 3CX Supply Chain Attack, publicly disclosed in March 2023, is regarded as one of the most sophisticated software supply chain compromises attributed to the Lazarus Group. Unlike traditional attacks that directly target victims, this operation focused on compromising a trusted software vendor and using its software distribution infrastructure to deliver malware to thousands of organizations worldwide.

Background

3CX is a software company that develops Voice over Internet Protocol (VoIP) communication solutions used by more than 600,000 organizations worldwide. Its desktop application is available for both Windows and macOS and is digitally signed to ensure authenticity and integrity. Because of its widespread adoption in enterprise environments, compromising the 3CX software supply chain provided the attackers with access to a large number of potential victims through a single trusted distribution channel.

Stage 1 — Initial Compromise

The attack did not begin at 3CX. According to the joint investigation conducted by Mandiant and 3CX, the attackers first compromised a 3CX employee's workstation through an earlier supply chain attack involving the X_TRADER financial trading software developed by Trading Technologies International, Inc.

Years before the 3CX incident, Lazarus had compromised the X_TRADER software distribution process, embedding malware within legitimate software updates. A 3CX employee installed the compromised application, unknowingly infecting their workstation. The malware established persistence, collected credentials, and allowed the attackers to maintain long-term access to the employee's system.

Stage 2 — Compromise of the Build Environment

After obtaining access to the employee's workstation, the attackers performed internal reconnaissance and harvested credentials that enabled them to move laterally within the corporate network. Eventually, they compromised the 3CX Continuous Integration and Continuous Delivery (CI/CD) build environment.

The CI/CD infrastructure is responsible for automatically compiling, testing, digitally signing, and publishing official software releases. By compromising this environment, the attackers gained the ability to modify legitimate application components before they were digitally signed and distributed to customers. Rather than stealing the company's code-signing certificate, the attackers inserted malicious components directly into the official build process, allowing the compromised software to retain its trusted digital signature.

Stage 3 — Trojanized Software Distribution

The attackers modified the Windows and macOS versions of the 3CX Desktop Application by replacing legitimate Dynamic Link Libraries (DLLs) with trojanized versions. When users installed or updated the software, the malicious DLLs were executed alongside legitimate application components without raising immediate suspicion. Because the software remained digitally signed by 3CX, endpoint security products and users generally trusted the application. Thousands of organizations unknowingly installed the compromised software during routine software updates.

Stage 4 — Multi-Stage Malware Execution

The trojanized application initiated a carefully designed multi-stage infection chain. During execution, malicious DLLs decrypted embedded shellcode that established communication with attacker-controlled infrastructure. The malware downloaded additional payloads only after performing victim profiling, reducing the likelihood of detection. Researchers identified several malware families associated with the operation, including:

This staged architecture allowed Lazarus to limit exposure by deploying advanced malware only to organizations considered strategically valuable.

Stage 5 — Target Selection

Unlike indiscriminate malware campaigns, the attackers carefully selected follow-on targets. The initial trojanized software acted as a filtering mechanism. Systems meeting predefined criteria received additional malware capable of credential theft, intelligence collection, and long-term remote access. Victims included organizations operating in sectors such as financial services, information technology, government, aerospace, and critical infrastructure.

Discovery

The attack was first identified in March 2023 after security researchers observed suspicious behavior associated with the signed 3CX Desktop Application. Subsequent investigations by multiple cybersecurity vendors, including Mandiant, SentinelOne, CrowdStrike, Sophos, Elastic Security, and Kaspersky, revealed that the application had been compromised during the software build process rather than after distribution.

The investigation also uncovered the connection between the 3CX compromise and the earlier X_TRADER supply chain attack, demonstrating how Lazarus leveraged one software supply chain compromise to facilitate another.

The campaign remains one of the most significant examples of a modern software supply chain attack and illustrates the growing importance of securing software development pipelines, code-signing processes, and CI/CD infrastructure against nation-state adversaries.

8. Technical Analysis

PHASE COMPONENT PURPOSE ANALYSIS
0 Attack Execution Overview Complete execution chain of the 3CX supply chain attack. Attack Flow
1 X_TRADER Supply Chain Initial compromise that led to the infection of a 3CX employee workstation. Full Reverse Engineering
2 3CXDesktopApp.exe Legitimate signed application abused to initiate the malicious execution chain. Static Analysis
3 Trojanized ffmpeg.dll First malicious DLL loaded by the application via DLL side-loading. Full Reverse Engineering
4 GitHub Dead Drop Resolver Retrieves the encrypted configuration and C2 information from GitHub. Reverse Engineering
5 VEILEDSIGNAL Primary modular backdoor deployed during the campaign. Full Malware Analysis
6 Campaign IOC Summary Consolidated indicators extracted from every analyzed component. IOC Table
7 MITRE ATT&CK Mapping Complete mapping of the campaign to MITRE ATT&CK techniques. ATT&CK

Phase 0 — Attack Execution Overview

Before analyzing the individual malware components, it is important to understand how they interact throughout the 3CX supply chain attack. Unlike conventional malware campaigns that rely on a single executable, the 3CX attack employed a multi-stage execution chain in which each component was responsible for loading or enabling the next stage.

The attack originated from a previously compromised X_TRADER installation, which provided the attackers with initial access to a 3CX employee's workstation. After compromising the company's CI/CD build environment, Lazarus inserted malicious components into the signed 3CX Desktop Application. When the application was executed, a sequence of malicious DLLs, shellcode, and payloads were loaded, ultimately leading to the deployment of advanced backdoors on selected victim systems.

The following sections analyze each component in the order it executes during the attack.

Phase 1 — X_TRADER Supply Chain

The first stage of the attack begins with the trojanized X_TRADER application, which served as the initial access vector into the 3CX environment. By compromising the software supply chain of X_TRADER, Lazarus Group was able to execute malicious code on a 3CX employee's workstation while the application appeared legitimate.

This initial compromise provided the attackers with a foothold inside the corporate network, allowing them to establish persistence, collect system information, and ultimately obtain access to the 3CX CI/CD build environment. The following analysis examines the malicious X_TRADER sample to identify its execution flow, capabilities, and role in the overall attack chain.

Starting the analysis of X_TRADER

X_TRADER sample static properties

Figure 1: X_TRADER sample static properties

The analyzed sample is a 32-bit Portable Executable (PE32) designed to run on Microsoft Windows. The executable targets the x86 architecture and uses the Windows GUI subsystem, indicating that it is intended to execute as a graphical application rather than a console program.

Compiled using Microsoft VS Code, it only imports four libraries: Kernel32.dll, SHELL32.dll, ole32.dll, OLEAUT32.dll. From these libraries, some of its functionalities can be inferred:

It also has data stored in the resource section with a size of 001e1048.

Moving to IDA to confirm this functionality: uploading the sample to IDA and starting at the WinMain function, the function has only three calls. The program begins execution by calling a function that, based on its return value, decides whether to proceed to the next function or jump to the third.

WinMain control flow in IDA

Figure 2: WinMain control flow in IDA

Entering the first function, sub_401090, the malware begins by allocating and initializing several buffers used throughout the routine. It then retrieves the full path of the running executable and locates the last directory separator ('\') to isolate the installation directory. Using this path, it constructs the full path to X_TRADER-ja.mst.

Next, the malware opens X_TRADER-ja.mst, moves the file pointer to offset 0x167000, and reads the embedded encrypted payload. It then creates a new directory named TPM under C:\ProgramData. After creating the directory, the malware copies immersivetpmvscmgrsvr.exe into the newly created location and renames it to TpmVscMgrSvr.exe. Finally, it creates a new DLL named devobj.dll within the same directory, which is later populated with the decrypted payload extracted from X_TRADER-ja.mst.

Payload staging under C:\ProgramData\TPM

Figure 3: Payload staging under C:\ProgramData\TPM

The malware proceeds to decrypt an embedded payload from X_TRADER-ja.mst into a temporary memory buffer. Once the decryption process is complete, the recovered payload is written to devobj.dll, preparing it for execution in the next stage of the attack.

Payload decryption routine

Figure 4: Payload decryption routine writing devobj.dll

At this point, the first function completes its execution, and control is transferred to the second function, sub_4013C0. The function begins by constructing the full path C:\ProgramData\TPM\TpmVscMgrSvr.exe. It then initializes the COM library and creates an instance of the Task Scheduler COM object using the CLSID {0F87369F-A4E5-4CFC-BD3E-73E6154572DD}, while requesting the ITaskService interface identified by the IID {2FABA4C7-4DA9-4013-9697-20CC3FD40F85} through CoCreateInstance().

Since COM methods are invoked through a virtual function table (vtable), the imported interface can be reconstructed using the ITaskService method offsets shown below. This mapping allows the indirect calls observed during reverse engineering to be resolved to their corresponding COM methods.

OFFSET INDEX METHOD
0x00 0 QueryInterface
0x04 1 AddRef
0x08 2 Release
0x0C 3 GetTypeInfoCount
0x10 4 GetTypeInfo
0x14 5 GetIDsOfNames
0x18 6 Invoke
0x1C 7 GetFolder
0x20 8 GetRunningTasks
0x24 9 NewTask
0x28 10 Connect
0x2C 11 get_Connected
0x30 12 get_TargetServer
0x34 13 get_ConnectedUser
0x38 14 get_ConnectedDomain
0x3C 15 get_HighestVersion
ITaskService COM interface acquisition

Figure 5: ITaskService COM interface acquisition

The malware initializes four empty VARIANT structures using VariantInit(). These VARIANTs are later passed as arguments to the first method retrieved from the ITaskService COM interface. Before the call, the compiler copies each VARIANT onto the stack, after which the malware invokes the function located at offset 0x28 in the ITaskService vtable, corresponding to ITaskService::Connect(). By passing empty VARIANTs, the malware connects to the local Task Scheduler service using the current user's security context without explicitly specifying a server, username, domain, or password.

ITaskService::Connect call with empty VARIANTs

Figure 6: ITaskService::Connect() call with empty VARIANTs

The malware abuses the COM object to establish persistence by creating a scheduled task within the \Microsoft\Windows\TPM folder. It sets the task author to "Microsoft Corporation" to imitate a legitimate Microsoft task and configures an execution action that launches C:\ProgramData\TPM\TpmVscMgrSvr.exe. The task also uses the identifier Tpm-VscMgr, further reinforcing the appearance of a legitimate TPM-related scheduled task.

Task Scheduler

Name:        Tpm-VscMgr
Author:      Microsoft Corporation
Action:      C:\ProgramData\TPM\TpmVscMgrSvr.exe
Scheduled task creation for persistence

Figure 7: Scheduled task creation for persistence

Moving to the third function, the malware begins by searching the resource section for an embedded payload. After locating the appropriate resource, it loads the encrypted data into memory. The malware then retrieves the full path of X_TRADER.exe, opens the executable, and decrypts the embedded payload using the XOR key 0x0DA39F274. The decrypted code is written into the target executable, effectively patching it with the malicious payload extracted from the resource section. Once the modification is complete, the malware executes the newly patched X_TRADER.exe and finally deletes its original executable from disk to remove traces of the initial infection.

XOR decryption and patching of X_TRADER.exe

Figure 8: XOR decryption and patching of X_TRADER.exe, followed by self-deletion

Phase 2 — 3CXDesktopApp.exe

Unlike the previously analyzed X_TRADER sample, 3CXDesktopApp.exe does not contain the primary malicious functionality. Static and dynamic analysis, along with multiple public threat intelligence reports, show that the executable remains a legitimate, digitally signed 3CX application. Its role in the attack is to act as a trusted loader for the malicious components deployed by the attackers.

During startup, the application follows its normal initialization process and loads its required dynamic-link libraries (DLLs). Due to the supply-chain compromise, the legitimate ffmpeg.dll included with the application was replaced with a trojanized version. As a result, when 3CXDesktopApp.exe starts, the Windows loader automatically loads the malicious ffmpeg.dll, transferring execution to the attacker's code while the application continues to function normally from the user's perspective.

Therefore, the analysis of 3CXDesktopApp.exe focuses primarily on its role in initiating the execution chain rather than implementing the malicious logic itself. The actual payload execution begins inside the trojanized ffmpeg.dll, which is analyzed in the next phase.

Phase 3 — Trojanized ffmpeg.dll

Trojanized ffmpeg.dll analysis illustration

Starting the analysis of the trojanized ffmpeg.dll, the DLL was loaded into IDA for static analysis. The entry point contains only a single function call, which immediately transfers execution to the DLL's primary initialization routine. As a result, the remainder of the analysis focuses on this function, where the malicious behavior is implemented.

ffmpeg.dll entry point transferring to initialization routine alt="ffmpeg.dll entry point transferring to initialization routine" />

Figure 9: ffmpeg.dll entry point transferring to initialization routine

Going deeper into the primary initialization routine to determine the purpose of the trojanized ffmpeg.dll, the malware begins by creating a named event called AVMonitorRefreshEvent using CreateEventW(). Immediately afterward, it calls GetLastError() to determine whether the event already exists. If GetLastError() returns ERROR_ALREADY_EXISTS (0xB7), the malware concludes that another instance is already running and terminates its execution. This mechanism acts as a single-instance check, ensuring that only one instance of the DLL executes at a time.

Single-instance check via AVMonitorRefreshEvent

Figure 10: Single-instance check via the AVMonitorRefreshEvent named event

Moreover, the malware retrieves the full path of the running module and locates the last directory separator ('\') to obtain the application's installation directory. It then appends the string d3dcompiler_47.dll to construct the full path to the target DLL. The file is opened using CreateFileW() with GENERIC_READ access, OPEN_EXISTING disposition, and FILE_ATTRIBUTE_NORMAL attributes. The malware then reads the DLL from disk into memory.

Reading d3dcompiler_47.dll into memory

Figure 11: Reading d3dcompiler_47.dll into memory

Afterward, the malware parses the contents of d3dcompiler_47.dll in search of the byte sequence FE ED FA CE, which serves as a marker indicating the beginning of the embedded shellcode. Once this signature is located, the malware extracts the encrypted payload and decrypts it using the RC4 stream cipher with the hardcoded key 3jB(2bsG#@c7. The decrypted shellcode is a downloader that retrieves icon files from a GitHub repository at https://raw.githubusercontent[.]com/IconStorages/images/main/, which are later used to download the final payload.

RC4 decryption of embedded shellcode marked by FE ED FA CE

Figure 12: RC4 decryption of embedded shellcode, marked by the FE ED FA CE signature

Phase 4 — GitHub Dead Drop Resolver

ICO file parsing for embedded C2 configuration

Figure 13: ICO file parsing for embedded, encoded C2 configuration

Each downloaded ICO file contains an embedded, encoded configuration rather than a standard icon resource. The malware parses the files, extracts the hidden data, and decodes it to recover the command-and-control (C2) configuration used by the final-stage payload. This technique enables the attackers to distribute updated C2 information through seemingly benign icon files hosted on remote servers.

ICON FILE URL
icon0.ico https://www.3cx[.]com/blog/event-trainings/
icon1.ico https://msstorageazure[.]com/window
icon2.ico https://officestoragebox[.]com/api/session
icon3.ico https://visualstudiofactory[.]com/workload
icon4.ico https://azuredeploystore[.]com/cloud/services
icon5.ico https://msstorageboxes[.]com/office
icon6.ico https://officeaddons[.]com/technologies
icon7.ico https://sourceslabs[.]com/downloads
icon8.ico https://zacharryblogs[.]com/feed
icon9.ico https://pbxcloudeservices[.]com/phonesystem
icon10.ico https://akamaitechcloudservices[.]com/v2/storage
icon11.ico https://akamaitechcloudservices[.]com/v2/storage
icon12.ico https://azureonlinestorage[.]com/azure/storage
icon13.ico https://msedgepackageinfo[.]com/microsoft-edge
icon14.ico https://glcloudservice[.]com/v1/console
icon15.ico https://pbxsources[.]com/exchange

Phase 5 — VEILEDSIGNAL

Moving to the final phase, VEILEDSIGNAL, the malware begins by retrieving workstation network information using the NetWkstaGetInfo() API, obtaining both the hostname and the domain name. It then loads ntdll.dll and resolves the RtlGetVersion API to retrieve the operating system version. Afterward, the malware obtains the path to the AppData\Roaming directory and appends \3CXDesktopApp\config.json to construct the full path to the configuration file. The malware then opens config.json, reads its contents into memory, and constructs a new JSON object by appending the previously collected system information, including the hostname, domain name, operating system version, and the data from the config.json file.

Collection of host information and config.json contents

Figure 14: Collection of host information and config.json contents into a JSON buffer

The malware targets the browsing history of several Chromium- and Gecko-based web browsers, including Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox. It locates each browser's profile directory and accesses the corresponding history database (History for Chromium-based browsers and places.sqlite for Firefox). The malware then executes SQL queries to retrieve the 500 most recent visited URLs and their associated page titles, appending the extracted information to the in-memory JSON buffer for later use.

Browser history harvesting via SQL queries

Figure 15: Browser history harvesting via SQL queries against History and places.sqlite

9. Campaign IOC Summary

All indicators extracted across every analyzed component of the 3CX supply chain attack.

IOCs — THIS REPORT
TYPE INDICATOR DESCRIPTION CONFIDENCE
SHA256 DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC 3CXDesktopApp.exe HIGH
SHA256 7290A9AEFBB759C9B40EF8A197CF20FD098FD74DD413C4D9D81E77A31E643F49 Trojanized ffmpeg.dll HIGH
SHA256 11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03 Trojanized d3dcompiler_47.dll HIGH
SHA256 8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423 Final-stage payload (VEILEDSIGNAL) HIGH
MD5 00a43d64f9b5187a1e1f922b99b09b77 X_TRADER initial-access sample HIGH
DIRECTORY C:\ProgramData\TPM\ Staging directory created by the first-stage malware MEDIUM
FILE C:\ProgramData\TPM\TpmVscMgrSvr.exe Dropped executable used for persistence MEDIUM
FILE C:\ProgramData\TPM\devobj.dll Decrypted second-stage DLL MEDIUM
FILE X_TRADER-ja.mst Installer transform containing the encrypted payload MEDIUM
FILE %AppData%\3CXDesktopApp\config.json Configuration file read by VEILEDSIGNAL MEDIUM
TASK Tpm-VscMgr Scheduled task created for persistence MEDIUM
EVENT AVMonitorRefreshEvent Named event used as a single-instance check MEDIUM
KEY RC4: 3jB(2bsG#@c7 RC4 key used to decrypt the embedded shellcode MEDIUM
KEY XOR: 0x0DA39F274 XOR key used by X_TRADER to decrypt the embedded DLL MEDIUM
DOMAIN raw.githubusercontent[.]com/IconStorages/images/main/ GitHub dead-drop repository hosting encoded ICO configs HIGH
DOMAIN msstorageazure[.]com icon1.ico dead-drop host MEDIUM
DOMAIN officestoragebox[.]com icon2.ico dead-drop host MEDIUM
DOMAIN visualstudiofactory[.]com icon3.ico dead-drop host MEDIUM
DOMAIN azuredeploystore[.]com icon4.ico dead-drop host MEDIUM
DOMAIN msstorageboxes[.]com icon5.ico dead-drop host MEDIUM
DOMAIN officeaddons[.]com icon6.ico dead-drop host MEDIUM
DOMAIN sourceslabs[.]com icon7.ico dead-drop host MEDIUM
DOMAIN zacharryblogs[.]com icon8.ico dead-drop host MEDIUM
DOMAIN pbxcloudeservices[.]com icon9.ico dead-drop host MEDIUM
DOMAIN akamaitechcloudservices[.]com icon10 / icon11.ico dead-drop host MEDIUM
DOMAIN azureonlinestorage[.]com icon12.ico dead-drop host MEDIUM
DOMAIN msedgepackageinfo[.]com icon13.ico dead-drop host MEDIUM
DOMAIN glcloudservice[.]com icon14.ico dead-drop host MEDIUM
DOMAIN pbxsources[.]com icon15.ico dead-drop host MEDIUM

In addition to the network and host-based indicators above, VEILEDSIGNAL targets the following browser profile paths and databases for history collection:

BROWSER PROFILE PATH DATABASE
Google Chrome AppData\Local\Google\Chrome\User Data History
Microsoft Edge AppData\Local\Microsoft\Edge\User Data History
Brave AppData\Local\BraveSoftware\Brave-Browser\User Data History
Mozilla Firefox AppData\Roaming\Mozilla\Firefox\Profiles places.sqlite
-- Chromium-based browsers
SELECT url, title FROM urls ORDER BY id DESC LIMIT 500

-- Firefox
SELECT url, title FROM moz_places ORDER BY id DESC LIMIT 500

10. MITRE ATT&CK Mapping — Full Campaign

Complete mapping of the 3CX supply chain campaign to MITRE ATT&CK techniques.

TACTIC TECHNIQUE ATT&CK ID EVIDENCE
Initial Access Compromise Software Supply Chain T1195.002 3CX DesktopApp distributed with trojanized DLLs.
Initial Access Trusted Relationship T1199 Attack leveraged the trust relationship between 3CX and its customers.
Execution Shared Modules T1129 3CXDesktopApp.exe loads the trojanized ffmpeg.dll.
Execution User Execution: Malicious File T1204.002 Malware executes when the victim launches the legitimate 3CX DesktopApp.
Execution Command and Scripting Interpreter T1059 Later-stage payloads execute downloaded commands/scripts.
Persistence Scheduled Task/Job: Scheduled Task T1053.005 Creates the Tpm-VscMgr scheduled task.
Persistence DLL Search Order Hijacking T1574.001 Trojanized ffmpeg.dll is loaded by the legitimate application.
Persistence Event Triggered Execution T1546 Persistence established through Task Scheduler.
Privilege Escalation DLL Search Order Hijacking T1574.001 Malicious DLL executes inside a trusted process.
Defense Evasion Deobfuscate/Decode Files or Information T1140 RC4 and XOR decrypt embedded payloads and shellcode.
Defense Evasion Masquerading T1036 Uses legitimate filenames, Microsoft task names, and trusted application components.
Defense Evasion Indicator Removal on Host: File Deletion T1070.004 Initial dropper deletes itself after execution.
Defense Evasion Hide Artifacts T1564 Payloads stored in legitimate-looking locations.
Defense Evasion System Binary Proxy Execution T1218 Abuses Windows Task Scheduler COM interfaces.
Discovery System Information Discovery T1082 Collects operating system version.
Discovery System Owner/User Discovery T1033 Collects hostname and domain/workgroup information.
Discovery File and Directory Discovery T1083 Enumerates browser profile directories and user files.
Collection Data from Local System T1005 Collects browser history and configuration files.
Collection Data from Information Repositories T1213 Reads SQLite browser history databases.
Collection Archive Collected Data T1560 Aggregates collected information into an in-memory JSON buffer.
Credential Access Credentials from Password Stores T1555 Later-stage payloads target browser credentials.
Command and Control Application Layer Protocol: Web Protocols T1071.001 Uses HTTP/HTTPS for C2 communication.
Command and Control Dynamic Resolution T1568 Retrieves encrypted configuration from remote resources.
Command and Control Dead Drop Resolver T1102.001 Uses GitHub and remote ICO files as dead-drop resolvers.
Exfiltration Exfiltration Over Web Service T1567 Sends collected victim information to the C2 infrastructure.

11. Conclusion & Recommendations

The 3CX supply chain attack illustrates how Lazarus Group leverages a chain of trust — compromising one vendor (X_TRADER) to reach another (3CX) — to gain scalable initial access without directly touching the end victim. Because the trojanized components were inserted during the signed build process rather than after distribution, traditional signature and reputation-based trust models failed to flag the malicious DLLs.

References