A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government entities in Southeast Asia dubbed TrueChaos.
The vulnerability in question is CVE-2026-3502 (CVSS score: 7.8), a lack of integrity check when fetching application update code, allowing an attacker to distribute a tampered update, resulting in the execution of arbitrary code. It has been patched in the TrueConf Windows client starting with version 8.5.3, released earlier this month.
“The flaw stems from the abuse of TrueConf’s updater validation mechanism, allowing an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints,” Check Point said in a report published today.
In other words, an attacker who manages to gain control of the on-premises TrueConf server can substitute the update package with a poisoned version, which then gets pulled by the client application installed on customers’ endpoints, owing to the fact that it does not enforce adequate validation to ensure that the server-provided update has not been tampered with.
The TrueChaos campaign has been found to weaponize this flaw in the update mechanism to likely deploy the open-source Havoc command-and-control (C2) framework to vulnerable endpoints. The activity has been attributed with moderate confidence to a Chinese-nexus threat actor.
Attacks exploiting the vulnerability were first recorded by the cybersecurity company at the beginning of 2026, with the implicit trust the client places in the update mechanism being weaponized to push a rogue installer that, in turn, leverages DLL side-loading to launch a DLL backdoor.
The DLL implant (“7z-x64.dll”) has also been observed performing hands-on-keyboard actions to conduct reconnaissance, set up persistence, and retrieve additional payloads (“iscsiexe.dll”) from an FTP server (“47.237.15[.]197”). The primary objective of “iscsiexe.dll” is to ensure the execution of a benign binary (“poweriso.exe”) that’s dropped to sideload the backdoor.
Although the exact final-stage malware delivered as part of the attack is not clear, it’s assessed with high confidence that the end goal is to deploy the Havoc implant.
TrueChaos’ links to a Chinese-nexus threat actor are based on the observed tactics, such as the use of DLL side-loading, Alibaba Cloud, and Tencent for C2 infrastructure, and the fact that the same victim was targeted within the same time frame by ShadowPad, a sophisticated backdoor widely used by China-linked hacking groups.
On top of that, the use of Havoc has been attributed to another Chinese threat actor called Amaranth-Dragon in intrusions aimed at government and law enforcement agencies across Southeast Asia in 2025.
“The exploitation of CVE-2026-3502 did not require the attacker to compromise each endpoint individually,” Check Point said. “Instead, the attacker abused the trusted relationship between a central on-premises TrueConf server and its clients. By replacing a legitimate update with a malicious one, they turned the product’s normal update flow into a malware distribution channel across multiple connected government networks.”
📰 Original Source:TheHackerNews ✍️ Author: info@thehackernews.com (The Hacker News)
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Leave a Reply