TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks

Summary

A high-severity zero-day vulnerability (CVE-2026-3502, CVSS 7.8) in TrueConf video conferencing software has been actively exploited by a Chinese-nexus threat actor in a campaign dubbed TrueChaos targeting Southeast Asian government networks. The flaw allows attackers who control an on-premises TrueConf server to distribute malicious updates lacking integrity checks, enabling arbitrary code execution. Attacks have deployed the Havoc C2 framework via DLL side-loading and reconnaissance payloads, with attribution linked to Chinese threat groups including Amaranth-Dragon.

Full text

TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks Ravie LakshmananMar 31, 2026Zero-Day / Vulnerability A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government entities in Southeast Asia dubbed TrueChaos. The vulnerability in question is CVE-2026-3502 (CVSS score: 7.8), a lack of integrity check when fetching application update code, allowing an attacker to distribute a tampered update, resulting in the execution of arbitrary code. It has been patched in the TrueConf Windows client starting with version 8.5.3, released earlier this month. "The flaw stems from the abuse of TrueConf's updater validation mechanism, allowing an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints," Check Point said in a report published today. In other words, an attacker who manages to gain control of the on-premises TrueConf server can substitute the update package with a poisoned version, which then gets pulled by the client application installed on customers' endpoints, owing to the fact that it does not enforce adequate validation to ensure that the server-provided update has not been tampered with. The TrueChaos campaign has been found to weaponize this flaw in the update mechanism to likely deploy the open-source Havoc command-and-control (C2) framework to vulnerable endpoints. The activity has been attributed with moderate confidence to a Chinese-nexus threat actor. Attacks exploiting the vulnerability were first recorded by the cybersecurity company at the beginning of 2026, with the implicit trust the client places in the update mechanism being weaponized to push a rogue installer that, in turn, leverages DLL side-loading to launch a DLL backdoor. The DLL implant ("7z-x64.dll") has also been observed performing hands-on-keyboard actions to conduct reconnaissance, set up persistence, and retrieve additional payloads ("iscsiexe.dll") from an FTP server ("47.237.15[.]197"). The primary objective of "iscsiexe.dll" is to ensure the execution of a benign binary ("poweriso.exe") that's dropped to sideload the backdoor. Although the exact final-stage malware delivered as part of the attack is not clear, it's assessed with high confidence that the end goal is to deploy the Havoc implant. TrueChaos' links to a Chinese-nexus threat actor are based on the observed tactics, such as the use of DLL side-loading, Alibaba Cloud, and Tencent for C2 infrastructure, and the fact that the same victim was targeted within the same time frame by ShadowPad, a sophisticated backdoor widely used by China-linked hacking groups. On top of that, the use of Havoc has been attributed to another Chinese threat actor called Amaranth-Dragon in intrusions aimed at government and law enforcement agencies across Southeast Asia in 2025. "The exploitation of CVE-2026-3502 did not require the attacker to compromise each endpoint individually," Check Point said. "Instead, the attacker abused the trusted relationship between a central on-premises TrueConf server and its clients. By replacing a legitimate update with a malicious one, they turned the product’s normal update flow into a malware distribution channel across multiple connected government networks." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, Malware, Patch Management, supply chain attack, Threat Intelligence, Video Conferencing, Vulnerability, zero-day Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• cve — CVE-2026-3502
• ip — 47.237.15.197
• malware — Havoc
• malware — 7z-x64.dll
• malware — iscsiexe.dll
• malware — ShadowPad