We have confirmation that malicious versions of both Windows and macOS of the 3CX Desktop App are being deployed via trojanized updates. However, the application is available for Linux and mobile systems as well. While the desktop applications for those platforms are not known to be compromised, we recommend removing them out of caution until 3CX’s investigation is completed.

While the news broke on Wednesday, March 29, Bleeping Computer notes some customers have posted in 3CX forums that attacks have been observed as early as March 22. Vulnerable versions of the 3CX Desktop App appear to be 18.12.407 and 18.12.416 on Windows and 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 on macOS.

We have confirmation that malicious versions of both Windows and macOS of the 3CX Desktop App are being deployed via trojanized updates. However, the application is available for Linux and mobile systems as well.

We recommend that all 3CX customers who use the desktop application immediately:

1. Find and terminate all running 3CX processes on Windows, macOS, Linux, and mobile systems.

2. Find and remove all instances of the 3CX Desktop App on Windows, macOS, Linux, and mobile systems.

3. Use the 3CX web application/Web App (PWA) instead of the desktop application for now.

If you’re an Automox customer, the Worklet Catalog has automated remediation scripts for Windows, macOS, and Linux available so that you can automatically find and terminate the running processes and uninstall the 3CX Desktop App.

If you aren’t an Automox customer, the below scripts are in standard languages for each affected operating system (except for mobile devices) and can be used to terminate the 3CX process on Windows, macOS, and Linux endpoints.

The below scripts are written in PowerShell for Windows systems, and BASH for Linux and macOS systems. These scripts were written and accurate as of the publishing of this blog on March 31, 2023.