Museum Wire
Law 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the Secret2022Meta Galactica — The Three-Day Scientific Oracle2021Colonial Pipeline — When Billing Shut Down the Fuel2021Facebook — The Six Hours That Vanished2021GTA Online — The Six-Minute LoadEFFODE · LEGE · INTELLEGELaw 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.AXM-001Set Theory — Membership, Boundaries, and BelongingLaw III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.2026 IncidentClaude Code — The Accept-Data-Loss FlagLaw IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux DistributionAXM-002Boolean & Propositional Logic — True, False, and the Excluded MiddleLaw VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.2024Air Canada Chatbot — The Policy That Wasn't2024Change Healthcare — One-Third of US Healthcare, One Missing MFA2024CrowdStrike — The Security Update That Broke the World2024Google Gemini Image Generation — The Six-Day Pause2024XZ Utils — The Two-Year Infiltration20233CX — The Supply Chain That Ate Another Supply Chain2023Amazon Prime Video — The Per-Frame State Machine2023Bing Sydney — The Chatbot That Went Rogue2023Samsung ChatGPT Leak — The Employee Who Pasted the Secret2022Meta Galactica — The Three-Day Scientific Oracle2021Colonial Pipeline — When Billing Shut Down the Fuel2021Facebook — The Six Hours That Vanished2021GTA Online — The Six-Minute LoadEFFODE · LEGE · INTELLEGE
Keyboard Navigation
W
A
S
D
or arrow keys · M for map · Q to exit
← Back to Incident Room
2023Supply Chain AttackEnterprise Organizations / 3CX Customers (600,000+ companies, 12M daily users)

3CX — The Supply Chain That Ate Another Supply Chain

Backdoored 3CX Desktop App delivered to enterprise customers via legitimate, signed update mechanism. Second-stage payload enabled information stealing (browser history, saved credentials) and beaconing to attacker-controlled C2 infrastructure. Attributed to Lazarus Group (North Korean state-sponsored APT). First publicly confirmed instance of a supply chain attack executed via a prior supply chain attack — a two-hop compromise with no historical precedent.

6 min read
Root Cause

A 3CX employee installed a trojanized version of Trading Technologies' X_TRADER software — itself the product of a prior supply chain compromise dating to 2022. That infection propagated malicious DLLs onto the developer's machine, which subsequently spread into 3CX's build environment. The corrupted build produced signed 3CX installers containing ICONIC/SIMPLESEA malware, distributed as legitimate software updates to the entire customer base. The signing certificate was legitimate. The vendor was trusted. The installer was real. The only thing that had changed was the code inside it.

Aftermath

CrowdStrike and Mandiant conducted incident response. Trading Technologies confirmed X_TRADER had been compromised since at least 2022. 3CX issued emergency updates and began a security overhaul. The US and UK governments formally attributed the attack to Lazarus Group. The incident accelerated adoption of software bill of materials (SBOM) requirements and renewed industry debate about whether code signing provides meaningful assurance when the signing infrastructure itself has been compromised.

The Museum Placard

A phone system used by 600,000 companies and 12 million people daily became a precision malware delivery vehicle — not because 3CX was breached directly, but because a vendor their developer trusted had already been breached a year earlier. The attackers didn't need to attack 3CX. They attacked the road that led to 3CX.

This is not a story about a single vulnerability. It is a story about what happens when trust is inherited transitively and verified nowhere.

---

The Architecture of Two Hops

The supply chain attack as a concept was well understood by 2023. SolarWinds had established the playbook: compromise the build pipeline, sign the malware with the victim's own certificate, distribute it as a legitimate update. Security teams had spent three years building defenses against exactly that pattern.

What they had not prepared for was a supply chain attack that itself arrived via a prior supply chain attack.

Hop one. Trading Technologies produces X_TRADER, a platform used by financial traders. At some point in 2022, Lazarus Group compromised X_TRADER's distribution mechanism. A trojanized version was distributed to users, containing the VEILEDSIGNAL backdoor.

Hop two. One of those users was a 3CX employee. They installed X_TRADER. VEILEDSIGNAL infected their workstation — a workstation with access to 3CX's build environment.

Hop three. The infection propagated into 3CX's build infrastructure. Malicious DLLs (ffmpeg.dll and d3dcompiler_47.dll) were injected into the 3CX Desktop App bundle. The bundle was signed with 3CX's legitimate code-signing certificate. The update was shipped to 600,000 companies.

The victims of the 3CX attack were two hops removed from the original compromise. The company that was attacked — 3CX — was itself not the primary target. The primary target was a developer's machine. The primary weapon was a financial trading application that had nothing to do with VoIP.

---

The Technical Mechanism

The 3CX Desktop App is built on Electron — the framework that packages web applications as desktop software. Electron applications bundle a Chromium runtime alongside the app code, distributed as a standard installer. Electron apps are large and complex, making binary inspection difficult; and they run with full native privileges, making them high-value infection vectors.

The malicious DLLs:

- ffmpeg.dll — a legitimate FFmpeg library replaced with a malicious version that reads encrypted shellcode from a companion file

- d3dcompiler_47.dll — contains the encrypted ICONIC malware payload

When the 3CX app launched, it loaded ffmpeg.dll as part of normal startup. The malicious library read the payload from d3dcompiler_47.dll, decrypted it, and executed it in memory. No new processes were spawned. No suspicious files were written. The execution chain looked like a normal application launch.

C2 via steganography:

The ICONIC malware's command-and-control mechanism hid C2 server addresses inside icon image files served from GitHub repository README pages — extracted at runtime using steganography. Network defenders saw only HTTPS traffic to raw.githubusercontent.com, a domain present in virtually every enterprise network log and almost never blocked.

The payload:

ICONIC performed initial reconnaissance: hostname, username, OS version, running processes. It reported this to the operators, who selectively activated a second-stage payload — SIMPLESEA — on high-value targets for deeper access.

---

The Six Laws at Work

Law III — Transitive Trust

3CX trusted their employee's workstation. The employee trusted X_TRADER. Trading Technologies trusted their own distribution mechanism. Every link in the chain was legitimate. The chain itself was the vulnerability. The attack surface was not 3CX's code — it was every trust relationship that allowed external code to reach 3CX's build environment without independent integrity verification.

Law I — Boundary Collapse

The signed installer is the canonical trust signal in software distribution: valid signature from a trusted certificate means the software is safe. This boundary collapsed when the signing infrastructure was compromised. The certificate was legitimate. The signature was valid. The statement "this software is from 3CX" was true. The statement "this software is safe" was not. Code signing conveys origin. It does not convey integrity.

Law 0 — Katie's Law

Why didn't 3CX's build environment verify the integrity of its own toolchain? Because doing so is expensive and had never been necessary. Why didn't security vendors flag the malicious DLLs? Because they were signed and came from a known vendor. Every decision in this attack's success path was a rational optimization that became catastrophic under adversarial conditions.

---

What Should Have Stopped This

Reproducible builds with independent verification — if 3CX's build could be reproduced from source and the binaries compared bit-for-bit, the DLL substitution would have been detectable regardless of signature validity.

Build environment isolation from developer workstations — a developer's infected machine should not have network or filesystem access to a production build system. The propagation path from developer endpoint to build pipeline is the structural failure here.

Software Bill of Materials with hash pinning — an SBOM that cryptographically pins every bundled library's expected hash would have flagged ffmpeg.dll's substitution at build time.

Binary integrity checking beyond signature — signature verification confirms the signer's identity, not the binary's expected content. Hash comparison against known-good builds would have caught the modification even with a valid signature attached.

---

The Wider Pattern

3CX sits in a documented lineage of distribution-layer attacks:

- SolarWinds (2020): Build pipeline injected, signed updates distributed to 18,000 organizations

- 3CX (2023): Developer machine compromised via upstream supply chain; build environment propagation

- XZ Utils (2024): Maintainer trust compromised via two-year social engineering; backdoor inserted at build time

- Notepad++ / Lotus Blossom (2025): Distribution infrastructure compromised; update manifests poisoned

The pattern: attackers move upstream. The target is the distribution mechanism — because that is where trust is unconditional and verification is absent.

---

Curator's Note

The most significant detail of this attack is not the payload's technical sophistication. It is the architectural patience. Lazarus Group compromised X_TRADER in 2022. They waited. They identified a 3CX employee who had installed it. They waited again. They used that foothold to reach 3CX's build environment. They waited while the malicious update propagated to 600,000 customer organizations. Then they selectively activated second-stage payloads only on targets of interest.

This is not opportunistic crime. This is a patient, multi-year operation that treated the software supply chain as a directed graph and found the shortest path between themselves and their actual targets — which were never 3CX's customers, but specific organizations within those customers deemed worth the extraction cost.

EFFODE · LEGE · INTELLEGE

Techniques
Upstream Dependency Compromise (Trading Technologies X TRADER)DLL Sideloading via Compromised Electron AppSigned Installer DeliveryHTTPS C2 via GitHub README Icon Steganography