Campaign · all campaigns
3CX Supply Chain AttackC0057 state
🇰🇵 KP
aka 3CX Supply Chain Attack
Run by AppleJeus
Last updated: 2026-07-03
About this actor
The [3CX Supply Chain Attack](https://attack.mitre.org/campaigns/C0057) was the first publicly reported case of one supply chain compromise triggering another, leading to a cascading, two-stage intrusion. The initial supply chain attack began when a 3CX employee downloaded and executed a trojanized, end-of-life version of the X_Trader trading software from Trading Technologies. This provided UNC4736, a threat cluster associated with [AppleJeus](https://attack.mitre.org/groups/G1049), access to the 3CX environment. From there UNC4736 compromised the Windows and macOS build environments used to distribute the 3CX desktop application to their customers.(Citation: Mandiant 3cx UNC4736 2023) While 3CX serves more than 600,000 customers and 12 million users, only a subset of systems were affected. Subsequent targeting focused on victims in the defense and cryptocurrency sectors, where attackers deployed secondary payloads such as Gopuram for credential theft and persistence.(Citation: Kaspersky 3CX Gopuram 2023) The campaign began in late 2022 and was disrupted after security vendors publicly reported the compromise in March 2023.(Citation: 3cx official statement 2023)(Citation: Krebs 3cx overview 2023)
Source: MITRE ATT&CK
Activity timeline
No activity events recorded.
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
| No attributed CVEs. | |||||
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 22 / 31 | 71% |
CM-6 | 21 / 31 | 68% |
SI-3 | 21 / 31 | 68% |
CM-2 | 19 / 31 | 61% |
CM-7 | 18 / 31 | 58% |
AC-6 | 16 / 31 | 52% |
CA-7 | 16 / 31 | 52% |
SC-7 | 14 / 31 | 45% |
SI-2 | 14 / 31 | 45% |
AC-2 | 12 / 31 | 39% |
AC-3 | 12 / 31 | 39% |
CM-5 | 12 / 31 | 39% |
SI-7 | 12 / 31 | 39% |
AC-4 | 11 / 31 | 35% |
RA-5 | 9 / 31 | 29% |
Co-occurring actors
None.
Similar actors
Similar TTPs
- RedDelta Modified PlugX Infection Chain Operations 0.20
- Daggerfly 0.20
- APT41 DUST 0.18
- APT19 0.17
- Inception 0.16
Same nation-state
- Operation Dream Job 1.00
- Lazarus Group 1.00
- APT37 1.00
- APT38 1.00
- Kimsuky 1.00
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00