According to cybersecurity investigations into an active attack on government organisations in Southeast Asia, there was a zero-day vulnerability in TrueConf video conferencing software. This campaign was given the name TrueChaos and exploits CVE-2026-3502 (CVSS Score 7.8), which is a very serious issue with the update process for the Windows client.
Because there are no integrity checks when downloading updates from an on-premises TrueConf, an attacker who has control over the TrueConf server can send nemmed update files to all clients, and those files will be executed silently when they are used by the client endpoints.
Check Point Research, which published the findings today, explained that the flaw turns the trusted update flow into a highly effective malware distribution channel. Instead of compromising each endpoint individually, attackers only need control of the central on-premises server to reach multiple systems across government networks.
How the Attack Works
After the compromise of a server, it provides a malicious update to a client, which then downloads and runs a fake installer. This fake installer uses the DLL side-loading technique to load a malicious DLL (7z-x64.dll), conduct reconnaissance, establish persistence, and connect to an FTP server (47.237.15[.]197) for downloading/installing a payload (iscsiexe.dll). The main objective seems to be ultimately deploying the open-source Havoc command-and-control framework.
This campaign has been linked with moderate confidence with a Chinese-linked threat actor. This includes using DLL side-loading, using infrastructure hosted on Alibaba Cloud & Tencent, and the fact all these same victims were also victims of the same ShadowPad backdoor commonly attributed to Chinese-relating group. Additionally, the previously linked Havoc with previous activity related to the Amaranth-Dragon against local governments or law enforcement.
The vulnerability affects TrueConf Windows clients before version 8.5.3; however, version 8.5.3 was available for users prior to today.
Why This Matters
TrueConf is commonly used in secure environments like the government and enterprise video conferencing platform, making if affordable for attack when an attacker compromises the central server allowing for an attacker to distribute malware throughout all connected clients. This attack is efficient in bypassing traditional endpoint focused defenses because it takes advantage of the inherent trust relationship between the server and the client.
Recommendations
1. Immediately update all Windows clients to version 8.5.3 or later.
2. Actively monitor any on-premises TrueConf servers for compromise.
3. Review network connection and update logs from the TrueConf clients.
4. Ensure robust network segmentation between the video conferencing infrastructure and other crucial systems.
5. Consider using additional integrity verification on software updates in very high-security environments.
This incident presents an emerging trend where the attackers are using the trust relation established by the enterprise software update processes to attack the organizations. In government and regulated industries, speed of patching and server hardening are very critical when using TrueConf.
If your organization uses TrueConf, you should give priority to this update if you operate in a sensitive environment.
Source: The Hacker News
