Several security organisations (ESET, CrowdStrike, SentinelOne) have recently discovered malicious activity within a legitimate, signed binary from 3CX.  The 3CXDesktopApp which is a softphone application from 3CX is presenting malicious activity where its making calls (beaconing) to threat-actor controlled infrastructure, deployment of second-stage payloads and in some instances hands-on keyboard activity.   The current threat is considered a possible supply chain attack similar to that of the solarwinds incident a few years back and as of writing is still under the investigation of the vendor.  The attack affects windows/Linux and mobile devices that have the 3CXDesktopApp installed.

What can you do?

For those customers that have 3CX running, there are several mitigation steps you can take.Allowlisting:  If you have an allowlisting solution with the capability to explicitly block such as Airlock Digital you can do one or ALL of the following. 
  • Block by hash: adding the Application Hash for the known compromised version of the software and the installer will prevent the file from executing (see table below)

In Airlock go to Blocklists – right click Blocklists and select Create Blocklist Package


Name the package 3CX DesktopApp


Right-click on the newly created package and select Import Hashes


Paste in all the hashes from below table into the pop-up box and select Extract Hashes


Select Bulk Add. Then select Add selected to Blocklist Package and ok.

  • Block by file Name: Adding the filename 3CXDesktopApp.exe using a metadata type block rule. 

In the same blocklist package created in the previous step expand Blocklist Metadata Rules > right click add new rule > select Operating system > Add Criteria > Select Original Filename and type 3CXDesktopApp and save.  Do this for each OSType in your organisation.


Once completed Approve the blocklist at the root of your policy folder by selecting policies > expanding Blocklists > right-click Enable (Enforced).

File Details:

SHA256 Operating System Installer SHA256 FileName
dde03348075512796241389dfea5560c20a3d2a2eac95c894e7bbed5e85a0acc Windows aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868 3cxdesktopapp-18.12.407.msi
fad482ded2e25ce9e1dd3d3ecc3227af714bdfbbde04347dbc1b21d6a3670405 Windows 59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983 3cxdesktopapp-18.12.416.msi
92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61 macOS 5407cda7d3a75e7b1e030b1f33337a56f293578ffa8b3ae19c671051ed314290 3CXDesktopApp-18.11.1213.dmg
b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb macOS e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec 3cxdesktopapp-latest.dmg

If you have any questions about the 3CX possible supply chain attack or the information provided contact with your Partner Account Manager.