Campaigns
Unleashing the Threat: Inside the SmoothOperator Supply Chain Attack on 3CX VOIP Desktop Client

Unleashing the Threat: Inside the SmoothOperator Supply Chain Attack on 3CX VOIP Desktop Client

SmoothOperator3CXSupply Chain AttackVoIP IPBX
A new supply chain attack called SmoothOperator is currently targeting 3CX's VoIP desktop client, which could cause significant impact due to the company's diverse and valued customer profile. The attackers use a trojanized version of the software to steal information from Windows and macOS users.

Indicators of Compromise

azureonlinecloud.com
zacharryblogs.com
journalide.org
sourceslabs.com
akamaicontainer.com
officeaddons.com
pbxphonenetwork.com
msedgepackageinfo.com
dunamistrd.com
azuredeploystore.com
pbxsources.com
visualstudiofactory.com
akamaitechcloudservices.com
msstorageboxes.com
sbmsa.wiki
pbxcloudeservices.com
msstorageazure.com
azureonlinestorage.com
glcloudservice.com

APT Groups1

Lazarus GroupKorea, Democratic People's Republic of
Labyrinth ChollimaHidden CobraDiamond SleetGroup 77Whois Hacking TeamAPT-C-26NewRomanic Cyber Army TeamUNC2970UNC577TraderTraitorTA404SectorA01ATK 3Gods DisciplesApplewormGuardians of PeaceUNC4736DEV-0139ITG03Lazarus GroupUNC4034Jade SleetZincHastati GroupUNC4899Gods Apostles

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

TacticTechnique ID Technique Name 
Initial Access T1195Supply Chain Compromise
ExecutionT1204.002User Execution: Malicious File
Defense EvasionT1140
T1027
T1574.002 T1497.003
Deobfuscate/Decode Files or Information
Obfuscated Files or Information
Hijack Execution Flow: DLL Side-Loading Virtualization/Sandbox Evasion: Time-Based Evasion
Credential Access T1555
T1539  
Credentials from Password Stores  
Steal Web Session Cookie  
Command and ControlT1071Application Layer Protocol

Observed Countries250

AD (175)
AE (643)
AF (541)
AG (589)
AI (115)
AL (555)
AM (698)
AO (256)
AQ (565)
AR (505)
AS (568)
AT (974)
AU (4)
AW (31)
AX (794)
AZ (742)
BA (969)
BB (185)
BD (462)
BE (970)
BF (886)
BG (146)
BH (878)
BI (399)
BJ (748)
BL (42)
BM (137)
BN (642)
BO (117)
BQ (134)
BR (829)
BS (277)
BT (130)
BV (813)
BW (798)
BY (823)
BZ (399)
CA (297)
CC (250)
CD (283)
CF (348)
CG (190)
CH (232)
CI (509)
CK (967)
CL (473)
CM (328)
CN (113)
CO (389)
CR (957)
CU (523)
CV (510)
CW (715)
CX (99)
CY (894)
CZ (290)
DE (373)
DJ (691)
DK (510)
DM (298)
DO (551)
DZ (653)
EC (99)
EE (260)
EG (352)
EH (866)
ER (245)
ES (646)
ET (293)
FI (151)
FJ (390)
FK (436)
FM (180)
FO (589)
FR (103)
GA (963)
GB (475)
GD (788)
GE (690)
GF (433)
GG (232)
GH (286)
GI (25)
GL (764)
GM (690)
GN (925)
GP (527)
GQ (892)
GR (131)
GS (900)
GT (325)
GU (901)
GW (193)
GY (281)
HK (334)
HM (463)
HN (305)
HR (47)
HT (733)
HU (728)
ID (420)
IE (484)
IL (149)
IM (486)
IN (825)
IO (60)
IQ (6)
IR (98)
IS (158)
IT (583)
JE (3)
JM (461)
JO (469)
JP (351)
KE (238)
KG (857)
KH (475)
KI (159)
KM (693)
KN (740)
KP (893)
KR (783)
KW (298)
KY (787)
KZ (281)
LA (112)
LB (2)
LC (441)
LI (985)
LK (106)
LR (317)
LS (5)
LT (135)
LU (860)
LV (131)
LY (117)
MA (336)
MC (625)
MD (681)
ME (561)
MF (389)
MG (958)
MH (955)
MK (778)
ML (743)
MM (83)
MN (599)
MO (10)
MP (22)
MQ (523)
MR (483)
MS (648)
MT (414)
MU (392)
MV (503)
MW (785)
MX (106)
MY (72)
MZ (351)
NA (795)
NC (243)
NE (79)
NF (482)
NG (13)
NI (510)
NL (923)
NO (26)
NP (183)
NR (74)
NU (126)
NZ (217)
OM (622)
PA (612)
PE (982)
PF (56)
PG (309)
PH (753)
PK (258)
PL (588)
PM (406)
PN (5)
PR (448)
PS (717)
PT (56)
PW (559)
PY (883)
QA (840)
RE (353)
RO (622)
RS (51)
RU (112)
RW (921)
SA (86)
SB (699)
SC (397)
SD (865)
SE (541)
SG (774)
SH (571)
SI (414)
SJ (258)
SK (61)
SL (682)
SM (58)
SN (994)
SO (737)
SR (489)
SS (792)
ST (745)
SV (675)
SX (21)
SY (779)
SZ (526)
TC (38)
TD (679)
TF (184)
TG (411)
TH (927)
TJ (178)
TK (288)
TL (921)
TM (974)
TN (120)
TO (646)
TR (959)
TT (467)
TV (749)
TW (150)
TZ (838)
UA (443)
UG (245)
UM (742)
US (817)
UY (102)
UZ (589)
VA (339)
VC (406)
VE (608)
VG (979)
VI (818)
VN (647)
VU (78)
WF (813)
WS (704)
XK (148)
YE (782)
YT (28)
ZA (409)
ZM (704)
ZW (48)