Zero-Day Vulnerability in TrueConf Client Exploited in Targeted Campaign
Check Point Research has identified a zero-day vulnerability in the TrueConf client software, designated as CVE-2026-3502, with a CVSS score of 7.8. This vulnerability enables an attacker with control over an on-premises TrueConf server to distribute and execute arbitrary files across connected endpoints, which has been leveraged in a targeted campaign named “TrueChaos” against government entities in Southeast Asia.
The exploit hinges on flaws in TrueConf’s update validation mechanism, allowing attackers to exploit the trusted relationship between the central server and client endpoints. In the observed campaign, malicious updates were pushed to vulnerable machines within a government network, suggesting potential espionage motives tied to a Chinese-aligned threat actor. The campaign capitalizes on TrueConf’s architecture, which promotes internal communications and operational confidentiality among government and critical infrastructure clients.
Defensive Context
Organizations that deploy the TrueConf video conferencing software, particularly those within government or critical infrastructure sectors, must be aware of the risks associated with the exploitation of CVE-2026-3502. The attackers do not need to compromise each endpoint individually, as the existing trust model of the central server facilitates broad malware distribution. This is particularly relevant for environments utilizing on-premises TrueConf installations, where security mechanisms surrounding updates can be exploited.
Why This Matters
The risk of exploitation is heightened for organizations reliant on the TrueConf platform for secure communication, as the vulnerability potentially opens multiple entry points across connected systems. Sensitive government communications may be particularly vulnerable, especially for those targeting Southeast Asian entities, making a robust assessment of this vulnerability essential.
Defender Considerations
Organizations utilizing the TrueConf software should prioritize updating to version 8.5.3 or later, where the vendor has addressed this vulnerability. Monitoring for the presence of suspicious files linked to malware activities, such as trueconf_windows_update.exe and iscsiexe.dll, can aid in detecting potential compromises. Additionally, vigilance regarding network communications to known command and control IP addresses associated with Havoc is critical for early detection.
Indicators of Compromise (IOCs)
Malicious Update Executable:
trueconf_windows_update.exe– Hash:22e32bcf113326e366ac480b077067cf
Loader:
iscsiexe.dll– Hash:9b435ad985b733b64a6d5f39080f4ae0
Havoc Implant:
7z-x64.dll– Hash:248a4d7d4c48478dcbeade8f7dba80b3
Command and Control IP Addresses:
43.134.90[.]60,43.134.52[.]221,47.237.15[.]197
