**TrueConf** users, particularly those in government and critical infrastructure sectors, are urged to update their software immediately to address a critical security flaw. The vulnerability, **CVE-2026-3502**, stems from a missing integrity check in the software update mechanism, enabling attackers to push malicious updates. ### Zero-Day Details The medium-severity vulnerability affects **TrueConf** versions 8.1.0 through 8.5.2. By gaining control of an on-premises **TrueConf** server, an attacker can replace the expected update package with a malicious executable, which is then distributed to all connected clients. This allows for arbitrary code execution on the affected systems. ### Targeted Attacks: Operation 'TrueChaos' **Check Point** researchers have been tracking a campaign dubbed 'TrueChaos' since the beginning of the year, which exploits **CVE-2026-3502** in zero-day attacks. The primary targets appear to be government entities in Southeast Asia. "An attacker who gains control of the on-premises **TrueConf** server can replace the expected update package with an arbitrary executable, presented as the current application version, and distribute it to all connected clients," **Check Point** stated in their report. "Because the client trusts the server-provided update without proper validation, the malicious file can be delivered and executed under the guise of a legitimate **TrueConf** update."  ### Attribution and Tactics **Check Point** assesses with moderate confidence that the 'TrueChaos' activity is linked to a Chinese-nexus threat actor, based on observed tactics, techniques, and procedures (TTPs). The attackers leverage **Alibaba Cloud** and **Tencent** for hosting their command and control (C2) infrastructure. The attacks involve compromising a centrally managed government **TrueConf** server to distribute malicious files via fake updates to connected clients. The infection chain involves DLL sideloading, deployment of reconnaissance tools (tasklist, tracert), privilege escalation (UAC bypass via iscicpl.exe), and persistence mechanisms.  While the final payload remains unrecovered, network traffic suggests the use of the **Havoc** C2 framework. **Havoc** is an open-source C2 framework capable of executing commands, managing processes, manipulating Windows tokens, executing shellcode, and deploying additional payloads on compromised systems. It has been previously linked to the Chinese threat cluster 'Amaranth Dragon'. ### Mitigation and Indicators of Compromise (IoCs) **TrueConf** addressed the vulnerability in version 8.5.3, released in March 2026. Users are strongly advised to upgrade to the latest version. **Check Point**'s report provides indicators of compromise (IoCs) to help organizations detect potential infections. Key indicators include the presence of *poweriso.exe* or *7z-x64.dll*, and suspicious artifacts like *%AppData%\Roaming\Adobe\update.7z* or *iscsiexe.dll*. <a rel="noopener sponsored" href="https://hubs.li/Q048zztN0"><img src="https://www.bleepstatic.com/c/p/picus-whitepaper.jpg" data-src="https://www.bleepstatic.com/c/p/picus-whitepaper.jpg" alt="tines"></a> ## <a rel="noopener sponsored" href="https://hubs.li/Q048zztN0">Automated Pentesting Covers Only 1 of 6 Surfaces.</a> Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other. This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.