3CX confirmed that the software supply chain attack was the work of a North Korean hacker group, UNC4736. The group used the Taxhaul and Simplesea malware for infecting Windows and macOS, respectively. Attackers used Taxhaul (or TxRLoader) to target Windows machines, which was further used to deploy a second-stage payload called Coldcat.