Hackers may have compromised the networks of thousands of businesses due to a supply-chain attack on the enterprise phone company 3CX, which confirmed on Thursday that its desktop app had been bundled with malware. This attack could have far-reaching implications as 3CX provides office phone systems to over 600,000 companies with more than 12 million daily users, including Mercedes-Benz, Coca-Cola, and the United Kingdom’s National Health Service.

Compromise and scope of attack

The extent of the impact on these companies is yet to be determined. The Record has contacted them for comments, and a spokesperson for Mercedes-Benz declined to respond. The CEO and founder of 3CX, Nick Galea, confirmed that “the 3CX DesktopApp has malware in it.” In addition, the company’s chief information security officer, Pierre Jourdan, said that the intrusion was the work of highly skilled hackers who picked who would be downloading the next stages of their malware. Jourdan also suggested that this was a targeted attack from an Advanced Persistent Threat (APT), potentially state-sponsored.

3CX’s response and criticisms

The company was informed about the malware by several cybersecurity companies, including SentinelOne, Sophos, and CrowdStrike, who had gone public with reports about the intrusion. Following further criticism, Galea apologized, stating: “We should have done a lot more and a lot faster. We apologize 150% to all concerned.”

Attack details

Sophos reported that only the 3CX client on Windows machines appeared to be compromised, but Jourdan’s post said that certain versions of macOS were affected. Researcher Patrick Wardle also wrote a preliminary analysis of the Mac malware. The compromised software was capable of sideloading malware designed to steal sensitive information from web browsers. Mat Gangwer, the vice president of managed threat response at Sophos, explained that “The attackers have managed to manipulate the application to add an installer which uses DLL sideloading to ultimately retrieve a malicious, encoded payload.” Gangwer added that the sideloading techniques were not novel and were similar to what was used in a campaign in which hackers used different malware in USB drives to compromise computers in Mongolia, Papua New Guinea, Ghana, Zimbabwe, and Nigeria.

Possible involvement of nation-state hackers

CrowdStrike reported that a group it calls Labyrinth Chollima, described as “one of the most prolific” hacking groups based in North Korea, had suspected nation-state involvement in the attack. However, SentinelOne said that they did not yet see obvious connections to existing threat clusters. Software providers have been on high alert for supply-chain intrusions since the 2020 attack on SolarWinds, which led to data breaches at companies and government agencies worldwide.


The 3CX supply-chain attack highlights the continued vulnerability of software providers and the far-reaching consequences of such breaches. The incident raises concerns for businesses and governments worldwide that rely on enterprise phone systems and highlights the need for improved security measures and threat detection. Companies must remain vigilant and ensure that they have robust security measures in place to detect and mitigate such attacks.