A critical zero-day vulnerability in the TrueConf video conferencing platform is being actively exploited in a sophisticated espionage campaign targeting government entities across Southeast Asia.
Check Point Research has uncovered Operation TrueChaos, a targeted attack campaign weaponizing CVE-2026-3502 (CVSS 7.8) to compromise dozens of government agencies through a single compromised TrueConf server. The campaign deploys the Havoc post-exploitation framework to establish persistent access to victim networks.
The Vulnerability: Trusted Update Mechanism Weaponized
TrueConf is a popular enterprise video conferencing solution designed to operate entirely within private, air-gapped networks without internet access—making it attractive for government, military, and critical infrastructure sectors requiring strict data privacy.
The vulnerability exists in how the TrueConf client handles software updates. When the application starts, it checks the central on-premises server for newer versions and downloads updates automatically. The critical flaw: this update process lacks proper security checks for authenticity and file integrity.
An attacker who compromises a central TrueConf server can replace legitimate updates with malicious payloads. All connected clients will blindly trust and execute the weaponized package as if it were a normal update—enabling mass compromise through a single point of entry.
Attack Chain Analysis
In the observed attacks, threat actors compromised a government IT department’s central TrueConf server that served dozens of connected agencies. The attack unfolded as follows:
- Initial Access: Attackers compromised the central TrueConf server
- Weaponized Update: Legitimate update replaced with malicious package containing poweriso.exe and 7z-x64.dll
- DLL Side-Loading: Malicious DLL loaded through legitimate executable
- Reconnaissance: Network mapping and process enumeration
- Privilege Escalation: Windows security prompts bypassed for elevated access
- Payload Delivery: Havoc post-exploitation framework deployed via remote C2 servers
Attribution: Chinese-Nexus Threat Actor
Based on tactics, techniques, infrastructure choices, and cloud hosting providers used, researchers assess with moderate confidence that a Chinese-nexus threat actor is behind Operation TrueChaos. The targeted region and victim profile align with known espionage campaigns focused on government intelligence collection.
Indicators of Compromise
- trueconf_windows_update.exe (MD5: 22e32bcf113326e366ac480b077067cf) — Malicious update
- iscsiexe.dll (MD5: 9b435ad985b733b64a6d5f39080f4ae0) — Loader
- 7z-x64.dll (MD5: 248a4d7d4c48478dcbeade8f7dba80b3) — Havoc implant
- C2 Infrastructure: 43.134.90[.]60, 43.134.52[.]221, 47.237.15[.]197
Why This Matters
This campaign demonstrates a supply chain attack vector that bypasses traditional perimeter defenses by exploiting trusted internal software distribution mechanisms. Organizations using TrueConf—particularly in government and critical infrastructure—face significant risk if servers have been compromised.
The attack’s effectiveness is amplified by TrueConf’s design for isolated networks: organizations that chose the platform specifically for its air-gapped security posture may now find their entire internal network compromised through a single server breach.
Mitigation Recommendations
- Patch immediately: Update to TrueConf version 8.5.3
- Hunt for IOCs: Search for unsigned update files, poweriso.exe or 7z-x64.dll in ProgramData folders
- Check registry: Look for unauthorized Run keys
- Network monitoring: Alert on connections to known C2 infrastructure
- Server audit: Review TrueConf server integrity and access logs
