MacOS
View all Worklets
MacOSmacOS

Disable 3CX Unattended Upgrades (macOS)

Removes trojanized 3CX Desktop App builds from macOS endpoints affected by the March 2023 supply-chain compromise

Worklet Details

What the 3CX Desktop App removal Worklet does

This Automox Worklet™ detects and removes trojanized builds of the 3CX Desktop App from macOS endpoints. The Worklet scans the four locations where the 3CX installer drops the app bundle and reads the version string out of Spotlight metadata using mdls and the kMDItemVersion attribute. It then matches each on-disk version against the four builds tied to the March 2023 supply-chain compromise: 18.12.416, 18.11.1213, 18.12.407, and 18.12.402.

When a match is found, the Worklet terminates any running 3CX Desktop App process, deletes the application bundle, and removes the associated Application Support directories that the trojanized installer drops outside the bundle. Clean installs on any other version are left in place, so the Worklet is safe to run across a mixed fleet without disrupting endpoints that already updated to a patched build.

The compromised builds were signed with a valid 3CX certificate and shipped through the official auto-update channel, which means standard reputation checks treated them as trusted. The Worklet does not rely on signature reputation. It compares the literal version string on disk against the published affected list and acts on a match.

Why remove the compromised 3CX Desktop App builds

The March 2023 3CX supply-chain compromise, tracked as CVE-2023-29059 and reported publicly as SmoothOperator, embedded a second-stage information-stealer inside legitimately signed builds of the 3CX Desktop App. The macOS builds 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 reached customers through the vendor's own update server before 3CX revoked the signing certificate and pulled the affected releases.

An endpoint that auto-updated during the exposure window still carries the trojanized bundle even after a clean release shipped, because the dropped payload and persistence files in /Library/Application Support/ and ~/Library/Application Support/ survive a passive replacement. Uninstalling the affected version and the support directories is the only way to clear the implant.

Running this Worklet against your macOS fleet reaches every host that pulled an update during the exposure period, captures the result in the Automox activity log, and produces hostname-level evidence for incident response and audit without remoting into each endpoint one at a time.

How the 3CX Desktop App removal works

  1. Evaluation phase: The Worklet enables case-insensitive globbing with shopt -s nocaseglob, then runs pgrep against the pattern .*3cx.*desktop.* to detect a live 3CX Desktop App process. If a process is running, the evaluation exits non-compliant. With no live process, the Worklet iterates the four install paths (/, /Applications/, /Users/*/Applications/, and /Users/*/Desktop/) for any bundle matching 3cx*desktop*.app. For each bundle found, it reads kMDItemVersion via mdls and compares the value against the affected list (18.12.416, 18.11.1213, 18.12.407, 18.12.402). A match returns exit code 1 and flags the endpoint for remediation.

  2. Remediation phase: The remediation script re-runs the same discovery, then escalates. Running 3CX processes are killed with pgrep piped to xargs kill -9 so the bundle is not held open by the file system. The Worklet removes any matched bundle with rm -rf, then walks the support directories /Library/Application Support/3cx*desktop*.app and /Users/*/Library/Application Support/3cx*desktop*.app to delete the persistence files the trojanized installer drops outside the app bundle. Bundles on a non-affected version are left untouched.

Requirements for running the 3CX removal Worklet

  • macOS endpoint (workstation or server profile)

  • Root or administrator privileges so the script can read /Library, write into user home directories, and call kill -9 against another user's process

  • Affected versions targeted by the script: 18.12.416, 18.11.1213, 18.12.407, and 18.12.402

  • FixNow compatible, so a responder can trigger removal across an exposed cohort from the Automox console without waiting for the next policy cycle

Expected state after the 3CX cleanup runs

On a clean endpoint the Worklet exits with code 0 and leaves the file system untouched. On an exposed endpoint the trojanized 3CX Desktop App bundle is gone from every scanned path, the matching Application Support directories are removed, and any running 3CX process is terminated. A second evaluation pass on the same endpoint returns 0, which gives the operator a clear compliance signal that the exposure has been closed.

After remediation, install a clean 3CX Desktop App build through your normal software distribution path: Jamf, Munki, an Automox software policy, or a manual PKG deployment. Use the current vendor release published by 3CX rather than any of the four affected builds. Because the Worklet removes the bundle outright rather than disabling auto-update, users on remediated endpoints will not see 3CX again until you redeploy it.

Validate by re-running the Worklet on the cohort after deployment. The evaluation script reports the on-disk version through kMDItemVersion, so an endpoint reinstalled with a clean build will report compliant on the next scan with no further action.

View in app
evalutation image
remediation image

Consider Worklets your easy button

What's a Worklet?

A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

do more with worklets