High-Severity Flaw in TrueConf Software Exposed
A significant security vulnerability in TrueConf’s video conferencing software has been actively exploited as a zero-day attack targeting government networks in Southeast Asia. This campaign, named TrueChaos, has brought attention to a flaw identified as CVE-2026-3502, which carries a CVSS score of 7.8. The vulnerability involves a lack of integrity checks during the application update process, enabling attackers to execute arbitrary code by delivering tampered updates. TrueConf has addressed this issue with a patch in its Windows client version 8.5.3, released earlier this month.
Background of the Exploit
The exploitation arises from weaknesses within TrueConf’s updater validation system. Attackers controlling an on-premises TrueConf server can replace legitimate update files with malicious ones, allowing harmful software to propagate across all connected endpoints. This vulnerability was detailed in a report by Check Point, which underscores the potential for significant security breaches if these updates are not adequately validated against tampering.
The TrueChaos operation utilizes this update mechanism vulnerability to deploy the open-source Havoc command-and-control framework on compromised systems. Attribution of this activity points to a Chinese-based threat actor, supported by moderate confidence levels.
Details of the Attacks
The initial detection of these attacks was recorded at the beginning of 2026, focusing on the trust placed by client applications in the update mechanism. Attackers exploited this trust to introduce a rogue installer that leverages DLL side-loading techniques to install a backdoor.
Further analysis revealed that the malware, identified as “7z-x64.dll,” undertakes reconnaissance, establishes persistence, and downloads additional payloads from an FTP server. One of these payloads, “iscsiexe.dll,” facilitates the execution of a benign binary intended for sideloading the backdoor, enhancing the attacker’s foothold within the network.
Attribution and Implications
The association of TrueChaos with a Chinese-linked threat actor is supported by similar tactics shared with known Chinese hacking groups, such as the use of DLL side-loading and the deployment of infrastructure through Alibaba Cloud and Tencent. Additionally, the same victim was subjected to attacks involving ShadowPad, a notorious backdoor linked to Chinese entities.
The Havoc framework, also employed in these exploits, has been connected to another Chinese threat actor, Amaranth-Dragon, previously targeting governmental institutions across Southeast Asia in 2025. This pattern suggests a continuing strategy of leveraging vulnerabilities in widely used software to infiltrate and compromise government networks.
Conclusion and Future Considerations
The exploitation of CVE-2026-3502 underscores the importance of rigorous validation processes for software updates, particularly in sensitive environments such as government networks. By manipulating the trusted update mechanism, attackers can transform legitimate software flows into vectors for malware distribution. Organizations must remain vigilant and ensure all patches are applied promptly to mitigate the risk of such vulnerabilities being exploited in the future.
