As an infra guy, this is currently my headache for the day, HN.

It looks as though a malicious (signed!) binary has been pushed out through 3CX's update system.

The group accused of this is North Korea's Labyrinth Chollima, they are the ones who were behind Wannacry.

The support threads on 3cx forums where 3cx brushed it off as an fp are pretty horrifying. But tbh infra and SOC are between a rock and a hard place esp. before the security vendors issue their evidence it's not an fp....

FP = False Positive

Right right I forgot to avoid jargon..

Though at the rate this thread is going the only people who will read it know what an FP is ;)

Yeah, it was already dead (I only found it because I did a hn.algolia.com search trying to work out why no one was upvoting another article on the same topic). If I don’t know the meaning, I work it out and post it to help others.