Jordan Albaladejo
- Mar 31
- 5 min read

3CX Business VOIP Desktop App Hacked - Supply Chain Attack (Smooth Operator)

Following our recent YouTube video series, covering 3CX recent threats, we wanted to take the opportunity to take a deep dive in a blog post, bringing together everything we are currently aware of for this ongoing 3CX supply chain attack and vulnerability.

See our first video here:

3CX Business VOIP Desktop App Hacked - Possible Supply Chain Attack - YouTube

See our follow up update video here:

(Update) 3CX Business VOIP Desktop App Hacked - Supply Chain Attack - YouTube

So, what has happened and what do you need to be aware of:

On March 22, 2023, SentinelOne EDR made the first detections of the 3CXDesktopApp vulnerability, nicknamed "Smooth Operator."

See original blog post here: SmoothOperator

The 3CXDesktopApp is a communication tool used by many large corporations worldwide, including Mercedes-Benz, Toyota, Coco-Cola, American Express, Honda, BMW, Airfrance Wilson, and McDonald's.

During first detections the malware payload was dormant and would stay in this state for 7 days, leading up to the 29/03/2023.

Further investigation, post execution it was revealed that the threat originated through

"bundled libraries that [3CX] compiled into the Windows Electron App via GIT".

See original form post here: 3CX DesktopApp Security Alert | 3CX Forums

Electron Framework is used by 3CXDesktopApp as the foundation open-source platform for their craft desktop applications.

The update was breached to reach out to a threat-actor's controlled repository, where the "real" payload would be unloaded. This "payload" included a trojanized package for the Mac environment and an info-sealing malware on the Windows environment, targeting the affected client's browser's data. It could possibly lead to a breach of saved passwords and credentials, possibly also leading to a session token (session Hi-Jack) exploit.

This infomation was first discover on 29/03/2023 as, not all instances of the dormant malware were/would be activated until this time, indicating a targeted approach to this attack. 3CX has mentioned in their official security update that this malware has possible ties to a state-sponsored effort.

See 3CX Security Alert: 3CX Security Alert for Electron Windows App | Desktop App

On March 29, 2023, 3CX CEO, Nick Galea, reported that the issue was first reported to them, and they are working towards resolving the issue.

See original form post here: 3CX DesktopApp Security Alert | 3CX Forums

3CX has since appointed Mandiant, a renowned American cybersecurity firm and subsidiary of Google, and the market leader in threat intelligence. With their help, 3CX will be able to review this incident in full.

See more about Mandiant here: Threat Intelligence Solutions

3CX has notified all partners with a security alert email earlier this morning (31/03/2023 8:54am AEST), advising them the following:

"[their] electron windows app shipped in Update 7, version numbers 18.12.407 & 18.12.416, included a severe security issue. [They] since learned that Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407 & 18.12.416 have also been affected. Fortunately, anti-virus vendors flagged the executable 3CXDesktopApp.exe and blocked it." "In response to this incident, 3CX has appointed Mandiant a renowned American cybersecurity firm and subsidiary of Google - and the market leader in threat intelligence. With their help we will be able to review this incident in full. Whilst their investigation is underway, we ask you to follow the instructions below immediately."

Following this, 3CX also shared crucial instructions to follow to avoid a possible breach and to protect sensitive information from falling into the wrong hands. These instructions shared were as follows:

"Customers on 3CX Hosted / StartUP - No Action Needed

3CX Hosted and StartUP users do not need to update their servers as we will be updating them over the night automatically. Servers will be restarted and the new Electron App MSI/DMG will be installed on the server. We recommend that you DO NOT install or deploy the Electron App. This update is only to ensure that the trojan has been removed from the 3CX Server where Desktop Apps are stored and in case any users decide to deploy the app anyway. During the restart there might be disruption for a few minutes while we restart your server.

Use PWA on the Clients / Desktops

Uninstall the Electron App

Follow these steps to uninstall the Electron App for Mac or Windows

For Windows:

Start

Type “Control Panel”, Enter

Select “Programs and Features”

Find 3CX Desktop App, select and press “Uninstall”.

On Mac:

Go to “Applications”

Tap on “3CX Desktop APP”

Right click then “Move to Bin”

Ensure that it isn’t also present on Desktop otherwise delete it from there as well.

Empty the Bin.

Use PWA instead of the Electron APP - Here's How!

Login to the Web Client.

You have two options:

EITHER click on the OS icon below the user avatar. A new dialog will open, select “Web App (PWA)” and then hit the “Install” button.

OR click on the “Install button” (A screen with an arrow) located in the address bar and confirm.

To set the app to auto start

On Google Chrome: Open your Chrome browser and type ‘chrome://apps’ into the address bar. Right click on “3CX” and enable “Start app when you sign in”.

On Microsoft Edge: On Edge, select to Auto-start in the dialog that appears after installation.

PWA only works on Google Chrome and Microsoft Edge - not on Safari or Firefox

You can read more in the Web Client user manual.

Avoid Using the Electron App Unless Absolutely Essential

In a day or two from now, we will have another Electron App rebuilt from the ground up with a new signed certificate. This is expected to be completely secure. We strongly recommend that you avoid using the Electron App unless there is absolutely no alternative. The Electron App update that we are releasing today is considered to be secure but there is no guarantee given that we only had 24 hours to make the necessary adjustments

More Information to Come - Transparency Assured

We are still working to decipher the full extent of the attack and we promise full transparency as soon as we are clear on everything. We don’t want to jump the gun and make wrong assumptions. Please follow our Forum and blog as well as our LinkedIn, Twitter, Facebook and Instagram pages as we’ll continue to update our customers and partners regularly.

Our Continued and Very Sincere Apologies

We continue to offer our very sincere apologies to all our partners and customers worldwide. The entire 3CX team continues to work around the clock.

Sincerely,

The 3CX Team"

We at Ingest services will be keeping a close eye on Mandiant's post investigation findings, until then this is what we have found and the current available findings regarding this massive threat to an industry staple, 3CX, the PABX/VOIP solution providers.

Further notable credits:

SentinelOne's Blog Post (Smooth Operator)

SmoothOperator

First 3CX Community Forum post

Threat alerts | 3CX Forums

Tom Lawrence from Lawrence Systems

Post alerting the public on IT Business Owners Group (Facebook)

Crowdstrike Reddit alert/post

crowdstrike (reddit.com)

John Hammond - Github Twitter Post

John Hammond on Twitter

3CX CEO Original Forum Post