Security firms Crowdstrike, Sophos, and SentinelOne have warned that a digitally signed version of the soft phone has been turned into a trojan. The compromised software has been installed on both Windows and Mac based computers.
So far the most common symptoms are beaconing (reaching out) to the perpetrator’s infrastructure and spawning live command shells. The attack is on-going and state level involvement is suspected. In some cases hands on keyboard remote activity has apparently been observed.
There is no published fix or advice from 3CX that we could locate. At this time, uninstalling the software and scanning with security packages appears to be the best defensive move. You can read SentienlOne’s analysis of the campaign here: https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/