TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks
A critical security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government agencies in Southeast Asia called. TrueChaos.
The vulnerability in question is CVE-2026-3502 (CVSS score: 7.8), a lack of integrity checking when downloading an application’s update code, which allows an attacker to distribute a compromised update, leading to the execution of malicious code. Patches are included in the TrueConf Windows client starting with version 8.5.3, released earlier this month.
“The flaw stems from a misuse of TrueConf’s updater authentication mechanism, which allows an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary files to all connected endpoints,” Check Point said in a report published today.
In other words, an attacker who is able to control the server located in TrueConf can replace the update package with a poisoned version, and it is downloaded by the client program installed on the client endpoints, because it does not enforce sufficient authentication to ensure that the update provided by the server has not been tampered with.
The TrueChaos campaign was found to have harnessed this flaw in the recovery process to deploy an open Havoc command-and-control (C2) framework in vulnerable areas. Activity is said to be related to moderate confidence in the Chinese-nexus threat actor.
An attack exploiting the vulnerability was first recorded by a cybersecurity company in early 2026, with full reliance on the client placing it on the update machine being equipped to push a malicious installer, which also uses DLL sideloading to launch a DLL backdoor.
DLL installation (“7z-x64.dll”) was also detected by performing hands-on-keyboard actions to continue testing, setting persistence, and receiving additional payloads (“iscsiexe.dll”) from the FTP server (“47.237.15.[.]197”). The main purpose of “iscsiexe.dll” is to ensure the use of a malicious binary (“poweriso.exe”) that is downloaded to sideload the backdoor.
Although the final stage malware delivered as part of the attack is unclear, it is assessed with high confidence that the end goal is to install Havoc.
TrueChaos’ links to the Chinese-nexus threat actor are based on recognized tactics, such as the use of DLL side-loading, Alibaba Cloud, and Tencent’s C2 infrastructure, and the fact that the same victim was targeted at the same time by ShadowPad, a sophisticated backdoor widely used by hacking groups linked to China.
In addition, the use of Havoc has been attributed to another Chinese threat actor called the Amaranth-Dragon for targeted infiltration of government and law enforcement agencies across Southeast Asia by 2025.
“The CVE-2026-3502 exploit did not require an attacker to compromise each endpoint,” Check Point said. “Instead, the attacker abused the trust relationship between the centralized TrueConf server and its clients. By substituting a malicious update, he turned the normal product update flow into a channel for spreading malware across multiple interconnected government networks.”
