By rssfeeds-admin 
Tracked as CVE-2026-3502 with a CVSS score of 7.8, the flaw has been weaponized in a campaign dubbed “Operation TrueChaos.”
Attackers are abusing the application’s trusted update mechanism to silently deliver the Havoc post-exploitation framework to vulnerable machines, all without triggering user suspicion.
The Vulnerability: CVE-2026-3502
TrueConf is a widely deployed video conferencing platform used by government agencies, military organizations, and critical infrastructure operators.
Its key selling point is the ability to operate entirely within private, air-gapped local networks, no internet required, making it a trusted choice for sensitive environments.
However, researchers discovered a serious flaw in the TrueConf client’s software update handling.
Each time the application launches, it contacts the on-premises server to check for a newer version.
If one exists, the client automatically downloads and installs it. The critical problem: this update process performs no authenticity checks and no file integrity verification.
Any attacker who controls the central TrueConf server can silently replace the legitimate update with a malicious payload, and every connected client will execute it without question.
The TrueChaos Attack Chain
In observed attacks, threat actors compromised a government IT department’s central TrueConf server, a single point of failure connected to dozens of government agencies.
By swapping the legitimate update package with a weaponized one, they infected all connected endpoints simultaneously, bypassing the need to compromise each machine individually.
The malicious update appeared normal to users but dropped two hidden files in the background: a legitimate-looking executable named poweriso.exe and a malicious library called 7z-x64.dll.
The attack then unfolded in stages:
- The system loaded 7z-x64.dll via DLL side-loading, hijacking the trusted poweriso.exe process.
- The attacker ran reconnaissance commands to map the network and enumerate running processes.
- A secondary loader, iscsiexe.dll, was downloaded from a remote attacker-controlled server.
- Windows UAC security prompts were bypassed to gain elevated system privileges.
- Finally, the compromised system connected to an attacker C2 server to download the Havoc post-exploitation payload, an open-source framework widely abused for persistent access, lateral movement, and data exfiltration.
Based on the tactics, techniques, and the cloud hosting infrastructure used, Check Point researchers assess with moderate confidence that a Chinese-nexus threat actor is behind Operation TrueChaos.
TrueConf has released version 8.5.3 to address the vulnerability. Organizations must apply this patch immediately.
Defenders should hunt for the following indicators of compromise:
- Unsigned update files in the TrueConf update directory
- Unexpected presence of poweriso.exe or 7z-x64.dll in
ProgramDatafolders - Unauthorized registry Run keys added post-update
- Outbound connections to known C2 IPs:
43.134.90[.]60,43.134.52[.]221,47.237.15[.]197
| Artifact | Hash / IP |
|---|---|
| trueconf_windows_update.exe | 22e32bcf113326e366ac480b077067cf |
| iscsiexe.dll | 9b435ad985b733b64a6d5f39080f4ae0 |
| 7z-x64.dll (Havoc implant) | 248a4d7d4c48478dcbeade8f7dba80b3 |
| Havoc C2 | 43.134.90[.]60 |
| Havoc C2 | 43.134.52[.]221 |
| Havoc C2 | 47.237.15[.]197 |
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Entities appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.