Full Report
A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government entities in Southeast Asia dubbed TrueChaos. The vulnerability in question is CVE-2026-3502 (CVSS score: 7.8), a lack of integrity check when fetching application update code, allowing an attacker to distribute a tampered update,
Analysis Summary
# Incident Report: Operation TrueChaos - Zero-Day Exploitation of TrueConf
## Executive Summary
A high-severity zero-day vulnerability (CVE-2026-3502) in TrueConf video conferencing software was exploited by a Chinese-nexus threat actor to target government entities in Southeast Asia. By compromising on-premises TrueConf servers, attackers distributed tampered updates to all connected endpoints, bypassing integrity checks to execute arbitrary code. The campaign, dubbed "TrueChaos," resulted in the deployment of backdoors and the Havoc C2 framework across multiple government networks.
## Incident Details
- **Discovery Date:** March 31, 2026 (Public disclosure by Check Point)
- **Incident Date:** Early 2026
- **Affected Organization:** Multiple government entities
- **Sector:** Government / Public Sector
- **Geography:** Southeast Asia
## Timeline of Events
### Initial Access
- **Date/Time:** Early 2026
- **Vector:** Supply Chain / Software Update Hijacking
- **Details:** Attackers gained control of on-premises TrueConf servers. They exploited CVE-2026-3502, which lacked integrity validation for update code, allowing them to replace legitimate update packages with malicious versions.
### Lateral Movement
- **Mechanism:** The trusted relationship between the central TrueConf server and client endpoints facilitated automatic distribution.
- **Techniques:** Once the tampered update was pulled by endpoints, attackers used hands-on-keyboard actions and DLL side-loading to maintain control and move within the victim networks.
### Data Exfiltration/Impact
- **Details:** The primary impact was the compromise of government endpoints. While specific data theft was not detailed, the deployment of the Havoc C2 framework and ShadowPad backdoor indicates a high likelihood of long-term espionage and data collection.
### Detection & Response
- **Monitoring:** Cybersecurity firm Check Point detected the activity in early 2026.
- **Response:** TrueConf released a patch (version 8.5.3) in March 2026 to enforce better validation of update packages.
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2026-3502 through a compromised on-premises server.
- **Persistence:** Implementation of a DLL backdoor (`7z-x64.dll`) and scheduled execution via benign binaries (`poweriso.exe`).
- **Defense Evasion:** Use of DLL side-loading, hosting infrastructure on legitimate cloud providers (Alibaba and Tencent), and utilizing benign binaries to launch malicious payloads.
- **Discovery:** Hands-on-keyboard reconnaissance conducted via the initial DLL implant.
- **Lateral Movement:** Automated "one-to-many" distribution via the software update mechanism.
- **Collection/Exfiltration:** Deployment of the Havoc command-and-control (C2) framework and ShadowPad.
- **Infrastructure:** Use of an FTP server at `47.237.15[.]197` for payload delivery.
## Impact Assessment
- **Financial:** Undisclosed costs related to incident response and remediation.
- **Data Breach:** High risk; targets were government entities, suggesting potential exposure of sensitive state data.
- **Operational:** Disruption of secure communication channels and the need for widespread emergency patching of conferencing software.
- **Reputational:** Significant impact on the trust placed in on-premises communication software validation.
## Indicators of Compromise
- **Network Indicators:**
- `47.237.15[.]197` (FTP Server)
- Alibaba Cloud and Tencent Cloud C2 infrastructure nodes.
- **File Indicators:**
- `7z-x64.dll` (Malicious DLL implant)
- `iscsiexe.dll` (Secondary payload)
- `poweriso.exe` (Benign binary used for side-loading)
- **Behavioral Indicators:**
- TrueConf application initiating execution of unauthorized DLLs.
- Unexpected FTP connections from video conferencing endpoints.
## Response Actions
- **Containment:** Organizations advised to isolate on-premises TrueConf servers until security updates are applied.
- **Eradication:** Removal of malicious DLLs and suspicious binaries (`7z-x64.dll`, `iscsiexe.dll`).
- **Recovery:** Deployment of TrueConf Windows client version 8.5.3 or higher, which includes integrity checks for updates.
## Lessons Learned
- **Trust Validation:** Implicit trust in on-premises update servers is a significant security gap; clients must independently verify the cryptographic signatures of all downloaded code.
- **Centralized Risk:** Centralized management servers (like video conferencing or patch management) are "force multipliers" for attackers; a single compromise can lead to the immediate infection of an entire organization.
## Recommendations
- **Patch Management:** Immediately upgrade all TrueConf Windows clients to version 8.5.3+.
- **Network Segmentation:** Isolate communication servers from sensitive network segments to limit lateral movement.
- **Endpoint Monitoring:** Implement EDR (Endpoint Detection and Response) to flag common evasion techniques like DLL side-loading, especially within the context of trusted application directories.
- **Integrity Checks:** Ensure all third-party software updates require valid digital signatures before execution.