Full Report
Hackers have targeted TrueConf conference servers in attacks that exploit a zero-day vulnerability, allowing them to execute arbitrary files on all connected endpoints. [...]
Analysis Summary
# Incident Report: Operation TrueChaos
## Executive Summary
The "TrueChaos" campaign involved Chinese-nexus threat actors exploiting a zero-day vulnerability (CVE-2026-3502) in TrueConf video conferencing servers to push malicious software updates. By compromising a central on-premises server, attackers were able to execute arbitrary code on all connected client endpoints across multiple government agencies. The attack successfully deployed reconnaissance tools and persistence mechanisms, likely utilizing the Havoc post-exploitation framework.
## Incident Details
- **Discovery Date:** March 2026 (Fix released); Publicly disclosed April 1, 2026.
- **Incident Date:** Ongoing since the beginning of 2024.
- **Affected Organization:** Multiple government agencies and entities.
- **Sector:** Government, Military, Oil & Gas, Air Traffic Management.
- **Geography:** Southeast Asia.
## Timeline of Events
### Initial Access
- **Date/Time:** Early 2026 (Campaign onset).
- **Vector:** Exploitation of CVE-2026-3502 (Zero-day).
- **Details:** Attackers gained control of the on-premises TrueConf server. They exploited a missing integrity check in the update mechanism to replace the legitimate update package with a malicious executable.
### Lateral Movement
- **Details:** Once the server was compromised, the malicious "update" was pushed automatically to all connected clients. The trust relationship between the client and the server allowed for seamless distribution across the network.
### Data Exfiltration/Impact
- **Details:** Execution of arbitrary files on endpoints. Attackers performed reconnaissance (tasklist, tracert) and deployed persistence mechanisms. While the final payload was not recovered, network traffic suggests the use of Havoc C2 for potential data collection and deep system control.
### Detection & Response
- **Detection:** Discovered by CheckPoint Research through tracking TTPs and C2 infrastructure.
- **Response Actions:** Vendor (TrueConf) was notified and released a security patch (version 8.5.3) in March 2026.
## Attack Methodology
- **Initial Access:** Exploitation of TrueConf software vulnerability (CVE-2026-3502).
- **Persistence:** Established via DLL sideloading and scheduled artifacts.
- **Privilege Escalation:** UAC bypass using *iscicpl.exe*.
- **Defense Evasion:** DLL sideloading (*iscsiexe.dll*); disguising malicious files as legitimate updates or Adobe-related components.
- **Credential Access:** Not explicitly detailed, but Havoc C2 has token manipulation capabilities.
- **Discovery:** Use of *tasklist* and *tracert* for process and network reconnaissance.
- **Lateral Movement:** Centralized distribution via the software update channel.
- **Collection:** Evidence of Havoc C2 framework usage.
- **Exfiltration:** C2 traffic directed to Alibaba Cloud and Tencent infrastructure.
- **Impact:** Arbitrary code execution on all connected organizational endpoints.
## Impact Assessment
- **Financial:** Unknown; potential for significant incident response costs.
- **Data Breach:** High risk of espionage; targeted government entities in Southeast Asia.
- **Operational:** Integrity of the primary communication/conferencing platform was compromised.
- **Reputational:** High for the vendor (TrueConf) given their use in high-security environments like military and air traffic control.
## Indicators of Compromise
- **Network Indicators:**
- C2 traffic directed toward Alibaba Cloud and Tencent-hosted IPs.
- Havoc C2 framework traffic patterns.
- **File Indicators:**
- `poweriso.exe`
- `7z-x64.dll`
- `iscsiexe.dll`
- `%AppData%\Roaming\Adobe\update.7z`
- **Behavioral Indicators:**
- Unexpected TrueConf update prompts.
- Execution of `tasklist` and `tracert` by unusual parent processes.
## Response Actions
- **Containment:** Agencies advised to isolate compromised TrueConf servers.
- **Eradication:** Deployment of TrueConf version 8.5.3 to patch the vulnerability.
- **Recovery:** Scanning endpoints for residual DLL sideloading artifacts (*iscsiexe.dll*).
## Lessons Learned
- **Supply Chain Risk:** Even self-hosted, "offline" solutions are vulnerable if their internal update mechanisms lack cryptographic signing and integrity checks.
- **Trusted Relationships:** Attackers continue to favor "living off the land" by exploiting the trust between a centralized admin server and its clients.
## Recommendations
- **Immediate Patching:** Update TrueConf Server to version 8.5.3 or higher immediately.
- **Integrity Verification:** Implement third-party monitoring to detect unsigned or unusual executables originating from internal update servers.
- **Egress Filtering:** Restrict server-side internet access for on-premises conferencing servers to known-good update subnets only.
- **Endpoint Security:** Deploy EDR solutions capable of detecting DLL sideloading and UAC bypass techniques.