3CX Supply Chain Compromise Leads to ICONIC Incident

Volexity discovered a supply-chain compromise of 3CX Desktop App installers that delivered a multi-stage backdoor called ICONIC to Windows and macOS users: attackers embedded malicious ffmpeg libraries which decode/stage payloads (using ICO steganography and AES-GCM) to retrieve shellcode and a reflectively-loaded ICONICSTEALER DLL that collects host and browser data. The campaign used GitHub-hosted ICOs (and hardcoded C2 lists on macOS), bespoke request cookies tied to MachineGuid, and shared proxying infrastructure; Volexity provides IOCs, YARA and Suricata rules and assesses the actor as a capable, likely nation-state-backed cluster tracked as UTA0040 with links proposed to Lazarus.