Full Report
Key Points Introduction At the beginning of 2026, Check Point Research observed a series of targeted attacks against government entities in Southeast Asia carried out via a legitimate TrueConf software installed in the targets’ environment. The investigation led to the discovery of a zero-day vulnerability in the TrueConf client, tracked as CVE-2026-3502 with a CVSS score of 7.8. […] The post Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets appeared first on Check Point Research.
Analysis Summary
# Incident Report: Operation TrueChaos
## Executive Summary
At the beginning of 2026, a targeted cyber-espionage campaign dubbed "Operation TrueChaos" was identified targeting government entities in Southeast Asia. Attackers exploited a zero-day vulnerability (CVE-2026-3502) in the TrueConf video conferencing software to distribute the Havoc post-exploitation framework via the platform’s legitimate update mechanism. The campaign is attributed with moderate confidence to a Chinese-nexus threat actor focused on high-value government and critical infrastructure targets.
## Incident Details
- **Discovery Date:** January 2026
- **Incident Date:** Continuous activity observed through early 2026
- **Affected Organization:** Multiple government agencies
- **Sector:** Government / Defense / Critical Infrastructure
- **Geography:** Southeast Asia
## Timeline of Events
### Initial Access
- **Date/Time:** Early 2026
- **Vector:** Exploitation of CVE-2026-3502 (Zero-Day)
- **Details:** Attackers gained control of on-premises TrueConf servers. By abusing improper validation in the software’s updater mechanism, they pushed malicious updates to all connected client endpoints.
### Lateral Movement
- **Details:** Once the initial payload (Havoc) was executed on endpoints via the trusted update channel, attackers leveraged the framework's capabilities to move through the internal network, utilizing built-in tools and command-line utilities.
### Data Exfiltration/Impact
- **Details:** The primary objective was espionage. The Havoc implant allowed for persistent access, command execution, and the collection of sensitive internal communications and documents from compromised government systems.
### Detection & Response
- **How it was discovered:** Check Point Research (CPR) observed suspicious traffic and unusual parent-child process chains originating from legitimate TrueConf installations.
- **Response actions taken:** Vulnerability disclosure to TrueConf; vendor released a security patch in version 8.5.3 (March 2026).
## Attack Methodology
- **Initial Access:** Abuse of an on-premises TrueConf server to push malicious files to clients.
- **Persistence:** Implementation of the Havoc framework; use of malicious DLLs (e.g., `iscsiexe.dll`) and loaders.
- **Defense Evasion:** Use of a signed, legitimate software update channel; payload masquerading (e.g., naming files `7z-x64.dll` or `poweriso.exe`).
- **Discovery:** Execution of commands like `netstat` to map network connections.
- **Lateral Movement:** Native Havoc framework capabilities and administrative tools.
- **Collection:** Gathering files via `winrar.exe` and extracting data using command-line utilities.
- **Exfiltration:** Use of `curl` and other utilities to move data to C2 servers.
- **Impact:** Long-term unauthorized access and data theft (Cyber Espionage).
## Impact Assessment
- **Financial:** High (Costs associated with incident response, remediation, and patching across government sectors).
- **Data Breach:** Compromise of sensitive government communications and strategic data.
- **Operational:** Disruption of secure communications and necessity for emergency software updates across air-gapped or restricted networks.
- **Reputational:** Significant impact on the perceived security of on-premises, "air-gapped" communication solutions.
## Indicators of Compromise
- **Network Indicators:**
- 43.134.90[.]60 (Havoc C2)
- 43.134.52[.]221 (Havoc C2)
- 47.237.15[.]197 (Havoc C2)
- **File Indicators (Hashes):**
- `trueconf_windows_update.exe`: 22e32bcf113326e366ac480b077067cf
- `iscsiexe.dll`: 9b435ad985b733b64a6d5f39080f4ae0
- `7z-x64.dll`: 248a4d7d4c48478dcbeade8f7dba80b3
- **Behavioral Indicators:**
- `trueconf.exe` -> `trueconf_windows_update.exe` -> `trueconf_windows_update.tmp` -> creation of arbitrary executables.
- Presence of `poweriso.exe` spawning `curl` or `netstat`.
## Response Actions
- **Containment:** Blocking known Havoc C2 IPs at the perimeter.
- **Eradication:** Removal of malicious DLLs and malicious `.tmp` files from `C:\ProgramData\`.
- **Recovery:** Upgrading all TrueConf clients to version 8.5.3 or higher.
## Lessons Learned
- **Trust Abuse:** Even "secure" on-premises, air-gapped software can be used as a delivery vector if the update mechanism lacks cryptographic integrity checks.
- **Supply Chain Vulnerability:** Compromise of a central management server (TrueConf Server) grants total control over the endpoint fleet.
## Recommendations
- **Immediate Patching:** Update TrueConf Windows client to version 8.5.3 immediately.
- **Endpoint Monitoring:** Implement EDR rules to flag suspicious child processes of communication software.
- **Network Segmentation:** Limit the ability of on-premises application servers to communicate with the broader internet to prevent C2 establishment.
- **Integrity Checking:** Require cryptographic signing for all internal software updates and validate certificates before execution.