TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Entities

Check Point Research has uncovered a critical zero-day vulnerability in the TrueConf video conferencing client, actively exploited in a sophisticated espionage campaign targeting government entities across Southeast Asia.

Tracked as CVE-2026-3502 with a CVSS score of 7.8, the flaw has been weaponized in a campaign dubbed “Operation TrueChaos.”

Attackers are abusing the application’s trusted update mechanism to silently deliver the Havoc post-exploitation framework to vulnerable machines, all without triggering user suspicion.

The Vulnerability: CVE-2026-3502

TrueConf is a widely deployed video conferencing platform used by government agencies, military organizations, and critical infrastructure operators.

Its key selling point is the ability to operate entirely within private, air-gapped local networks, no internet required, making it a trusted choice for sensitive environments.

However, researchers discovered a serious flaw in the TrueConf client’s software update handling.

Each time the application launches, it contacts the on-premises server to check for a newer version.

If one exists, the client automatically downloads and installs it. The critical problem: this update process performs no authenticity checks and no file integrity verification.

Any attacker who controls the central TrueConf server can silently replace the legitimate update with a malicious payload, and every connected client will execute it without question.

The TrueChaos Attack Chain

In observed attacks, threat actors compromised a government IT department’s central TrueConf server, a single point of failure connected to dozens of government agencies.

By swapping the legitimate update package with a weaponized one, they infected all connected endpoints simultaneously, bypassing the need to compromise each machine individually.

The malicious update appeared normal to users but dropped two hidden files in the background: a legitimate-looking executable named poweriso.exe and a malicious library called 7z-x64.dll.

The attack then unfolded in stages:

• The system loaded 7z-x64.dll via DLL side-loading, hijacking the trusted poweriso.exe process.
• The attacker ran reconnaissance commands to map the network and enumerate running processes.
• A secondary loader, iscsiexe.dll, was downloaded from a remote attacker-controlled server.
• Windows UAC security prompts were bypassed to gain elevated system privileges.
• Finally, the compromised system connected to an attacker C2 server to download the Havoc post-exploitation payload, an open-source framework widely abused for persistent access, lateral movement, and data exfiltration.

Based on the tactics, techniques, and the cloud hosting infrastructure used, Check Point researchers assess with moderate confidence that a Chinese-nexus threat actor is behind Operation TrueChaos.

TrueConf has released version 8.5.3 to address the vulnerability. Organizations must apply this patch immediately.

Defenders should hunt for the following indicators of compromise:

• Unsigned update files in the TrueConf update directory
• Unexpected presence of poweriso.exe or 7z-x64.dll in ProgramData folders
• Unauthorized registry Run keys added post-update
• Outbound connections to known C2 IPs: 43.134.90[.]60, 43.134.52[.]221, 47.237.15[.]197

Artifact	Hash / IP
trueconf_windows_update.exe	22e32bcf113326e366ac480b077067cf
iscsiexe.dll	9b435ad985b733b64a6d5f39080f4ae0
7z-x64.dll (Havoc implant)	248a4d7d4c48478dcbeade8f7dba80b3
Havoc C2	43.134.90[.]60
Havoc C2	43.134.52[.]221
Havoc C2	47.237.15[.]197

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Entities appeared first on Cyber Security News.