Hackers have launched targeted attacks against TrueConf conference servers by exploiting a previously unknown vulnerability that enables the execution of malicious files across all connected systems.
The vulnerability, identified as CVE-2026-3502, has been assigned a medium severity rating. It originates from the absence of an integrity verification step in the platform’s update process, allowing threat actors to substitute legitimate updates with compromised versions.
TrueConf is a video conferencing solution often deployed as a self-hosted server. While cloud functionality exists, it is primarily built for secure, isolated environments. The company states that over 100,000 organizations adopted the platform during the COVID-19 pandemic to support remote operations, including military units, government bodies, energy firms, and air traffic control organizations.
Security researchers at Check Point have been monitoring an ongoing campaign, dubbed “TrueChaos,” which has been actively exploiting CVE-2026-3502 as a zero-day since early this year. The attacks have mainly focused on government institutions in Southeast Asia.
“An attacker who gains control of the on-premises TrueConf server can replace the expected update package with an arbitrary executable, presented as the current application version, and distribute it to all connected clients,” Check Point says.
“Because the client trusts the server-provided update without proper validation, the malicious file can be delivered and executed under the guise of a legitimate TrueConf update.”
The vulnerability impacts TrueConf versions 8.1.0 through 8.5.2. After responsible disclosure by researchers, the company released a patched version, 8.5.3, in March 2026 to address the issue.
Details of the “TrueChaos” Campaign:
Check Point researchers believe with moderate confidence that the activity is linked to a China-associated threat actor. This assessment is based on observed tactics, techniques, and procedures, the use of Alibaba Cloud and Tencent infrastructure for command-and-control operations, and the nature of the targets.
The attack campaign leverages centralized TrueConf servers used by government entities, allowing attackers to distribute malicious updates to multiple agencies simultaneously. Once deployed, the infection chain includes DLL sideloading, reconnaissance commands such as tasklist and tracert, privilege escalation via UAC bypass using iscicpl.exe, and persistence mechanisms.
Although the final payload was not recovered, network indicators suggest the use of Havoc command-and-control infrastructure. Havoc is an open-source framework that enables attackers to run commands, control processes, manipulate system tokens, execute shellcode, and deploy further malicious components. It has previously been associated with the Chinese-linked group “Amaranth Dragon” in similar campaigns.
The report also provides indicators of compromise and warning signs of infection. Notable red flags include the presence of files such as poweriso.exe or 7z-x64.dll, along with suspicious paths like %AppData%\Roaming\Adobe\update.7z or iscsiexe.dll.
