A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government entities in Southeast Asia dubbed TrueChaos.
The vulnerability in question is CVE-2026-3502 (CVSS score: 7.8), a lack of integrity check when fetching application update code, allowing an attacker to distribute a tampered update, resulting in the execution of arbitrary code. It has been patched in the TrueConf Windows client starting with version 8.5.3, released earlier this month.
“The flaw stems from the abuse of TrueConf’s updater validation mechanism, allowing an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints,” Check Point said in a report published today.
In other words, an attacker who manages to gain control of the on-premises TrueConf server can substitute the update package with a poisoned version, which then gets pulled by the client application installed on customers’ endpoints, owing to the fact that it does not enforce adequate validation to ensure that the server-provided update has not been tampered with.
The TrueChaos campaign has been found to weaponize this flaw in the update mechanism to likely deploy the open-source Havoc command-and-control (C2) framework to vulnerable endpoints. The activity has been attributed with moderate confidence to a Chinese-nexus threat actor.
Attacks exploiting the vulnerability were first recorded by the cybersecurity company at the beginning of 2026, with the implicit trust the client places in the update mechanism being weaponized to push a rogue installer that, in turn, leverages DLL side-loading to launch a DLL backdoor.
The DLL implant (“7z-x64.dll”) has also been observed performing hands-on-keyboard actions to conduct reconnaissance, set up persistence, and retrieve additional payloads (“iscsiexe.dll”) from an FTP server (“47.237.15[.]197”). The primary objective of “iscsiexe.dll” is to ensure the execution of a benign binary (“poweriso.exe”) that’s dropped to sideload the backdoor.
Although the exact final-stage malware delivered as part of the attack is not clear, it’s assessed with high confidence that the end goal is to deploy the Havoc implant.
TrueChaos’ links to a Chinese-nexus threat actor are based on the observed tactics, such as the use of DLL side-loading, Alibaba Cloud, and Tencent for C2 infrastructure, and the fact that the same victim was targeted within the same time frame by ShadowPad, a sophisticated backdoor widely used by China-linked hacking groups.
On top of that, the use of Havoc has been attributed to another Chinese threat actor called Amaranth-Dragon in intrusions aimed at government and law enforcement agencies across Southeast Asia in 2025.
“The exploitation of CVE-2026-3502 did not require the attacker to compromise each endpoint individually,” Check Point said. “Instead, the attacker abused the trusted relationship between a central on-premises TrueConf server and its clients. By replacing a legitimate update with a malicious one, they turned the product’s normal update flow into a malware distribution channel across multiple connected government networks.”
