A high-severity security flaw in TrueConf client video conferencing software was exploited as a zero-day as part of a campaign targeting government agencies in Southeast Asia called TrueChaos.
The vulnerability in question, CVE-2026-3502 (CVSS score: 7.8), is a lack of integrity checks when retrieving application update code, which could allow an attacker to distribute a modified update that could result in arbitrary code execution. The TrueConf Windows client has been patched since version 8.5.3 released earlier this month.
“This flaw results from the exploitation of TrueConf’s updater validation mechanism, allowing an attacker with control of an on-premises TrueConf server to distribute and execute arbitrary files to all connected endpoints,” Check Point said in a report published today.
This means that an attacker who gains control of an on-premises TrueConf server could replace the update package with a poisoned version, which would then be pulled by a client application installed on a customer’s endpoint, since proper validation is not enforced to ensure that server-provided updates have not been tampered with.
It was discovered that the TrueChaos campaign could be armed with this flaw in the update mechanism to deploy the open-source Havoc command and control (C2) framework to vulnerable endpoints. This activity is believed with moderate confidence to be the work of a Chinese-linked actor.
Attacks exploiting this vulnerability were first recorded by a cybersecurity firm in early 2026. The implicit trust that the client places in the update mechanism is weaponized to push a malicious installer that leverages DLL sideloading to launch a DLL backdoor.
The DLL implant (‘7z-x64.dll’) has also been observed performing reconnaissance, setting persistence, and performing keyboard operations to retrieve an additional payload (‘iscsiexe.dll’) from the FTP server (‘47.237.15’).[.]The main purpose of ‘iscsiexe.dll’ is to ensure the execution of a benign binary (‘poweriso.exe’) that is dropped to sideload the backdoor.
The exact final stage of malware delivered as part of the attack is not clear, but the final goal is believed to be to deploy the Havoc implant.
The relationship between TrueChaos and China-linked attackers is based on observed tactics such as DLL sideloading, Alibaba Cloud, use of Tencent in C2 infrastructure, and the fact that the same victims were targeted within the same time period by ShadowPad, an advanced backdoor widely used by China-linked hacker groups.
In addition, the use of Havoc is believed to be by another Chinese threat actor called Amaranth-Dragon in intrusions targeting governments and law enforcement agencies across Southeast Asia in 2025.
“The exploitation of CVE-2026-3502 did not require the attacker to compromise each endpoint individually,” Check Point said. “Instead, the attackers exploited the trust relationship between a central on-premises TrueConf server and its clients. By replacing legitimate updates with malicious updates, the attackers turned the product’s normal update flow into a malware distribution channel across multiple connected government networks.”
Source link
