Key Findings

• High-severity zero-day vulnerability CVE-2026-3502 (CVSS 7.8) in TrueConf video conferencing software exploited against Southeast Asian government networks in campaign dubbed TrueChaos

• Flaw allows attackers controlling on-premises TrueConf servers to distribute tampered updates and execute arbitrary code on all connected endpoints

• Patched in TrueConf Windows client version 8.5.3 released earlier this month

• Campaign attributed with moderate confidence to Chinese-nexus threat actor, linked to use of Havoc C2 framework and similar tactics used by other China-linked groups

• Attacks first recorded at beginning of 2026, leveraging implicit trust between client and update mechanism to deploy rogue installers

Background

TrueConf is a video conferencing platform commonly deployed in enterprise environments. The vulnerability exists in how the client application validates updates received from the on-premises server. Rather than implementing cryptographic checks or other integrity mechanisms, the client implicitly trusts any update served by the server it connects to. This design flaw transforms what should be a secure patch delivery system into a potential malware distribution channel.

Vulnerability Details

CVE-2026-3502 stems from the absence of proper validation when the TrueConf client fetches application update code from its server. An attacker who gains control of an organization's on-premises TrueConf server can substitute a legitimate update package with a poisoned version. When client applications check for updates, they download and execute the malicious version without any verification that the package hasn't been tampered with. The vulnerability carries a CVSS score of 7.8, reflecting its serious nature but acknowledging that initial server compromise is required to exploit it.

Attack Chain and Malware

The TrueChaos campaign weaponizes this flaw in a multi-stage attack. After gaining access to a target's TrueConf server, attackers replace the update with a rogue installer. When deployed to endpoints, this installer uses DLL side-loading to launch a DLL backdoor named "7z-x64.dll". This implant performs reconnaissance, establishes persistence, and retrieves additional payloads from an FTP server at 47.237.15.197. A second-stage DLL called "iscsiexe.dll" ensures execution of a benign binary ("poweriso.exe") that sideloads the backdoor. The final objective is assessed with high confidence to be deployment of the Havoc command-and-control framework, though the exact end-stage malware remains unclear.

Attribution and Campaign Context

Check Point attributes TrueChaos to a Chinese-nexus threat actor with moderate confidence based on several factors. The tactics employed, including DLL side-loading and use of Chinese cloud infrastructure from Alibaba Cloud and Tencent for C2 operations, are consistent with Chinese threat groups. Additionally, the same victims were targeted by ShadowPad, a sophisticated backdoor widely associated with China-linked hacking groups. The use of Havoc has been previously attributed to another Chinese actor called Amaranth-Dragon, which targeted Southeast Asian government and law enforcement agencies in 2025 using similar techniques.

Impact and Significance

What makes this exploitation particularly concerning is its efficiency. Rather than requiring attackers to compromise individual endpoints separately, the vulnerability allows them to abuse the trusted relationship between a central TrueConf server and all its connected clients. By replacing a single legitimate update, attackers can distribute malware across entire government networks in one operation. This turns the product's normal update mechanism into a weaponized distribution channel, making it an attractive vector for state-sponsored attackers targeting multiple agencies within a region.

Sources

• https://thehackernews.com/2026/03/trueconf-zero-day-exploited-in-attacks.html

• https://x.com/shah_sheikh/status/2039019943744753688

• https://x.com/TheCyberSecHub/status/2039018782140870710

• https://www.cypro.se/2026/03/31/trueconf-zero-day-exploited-in-attacks-on-southeast-asian-government-networks/

• https://www.socdefenders.ai/item/20e88444-a001-47dc-8593-bdddfe283822