A high-severity security flaw within the TrueConf shopper video conferencing software program has been exploited within the wild as a zero-day as a part of a marketing campaign focusing on authorities entities in Southeast Asia dubbed TrueChaos.
The vulnerability in query is CVE-2026-3502 (CVSS rating: 7.8), an absence of integrity test when fetching utility replace code, permitting an attacker to distribute a tampered replace, ensuing within the execution of arbitrary code. It has been patched within the TrueConf Home windows shopper beginning with model 8.5.3, launched earlier this month.
“The flaw stems from the abuse of TrueConf’s updater validation mechanism, permitting an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary recordsdata throughout all related endpoints,” Verify Level mentioned in a report printed in the present day.
In different phrases, an attacker who manages to realize management of the on-premises TrueConf server can substitute the replace bundle with a poisoned model, which then will get pulled by the shopper utility put in on prospects’ endpoints, owing to the truth that it doesn’t implement ample validation to make sure that the server-provided replace has not been tampered with.
The TrueChaos marketing campaign has been discovered to weaponize this flaw within the replace mechanism to doubtless deploy the open-source Havoc command-and-control (C2) framework to susceptible endpoints. The exercise has been attributed with reasonable confidence to a Chinese language-nexus menace actor.
Attacks exploiting the vulnerability have been first recorded by the cybersecurity firm at the start of 2026, with the implicit belief the shopper locations within the replace mechanism being weaponized to push a rogue installer that, in flip, leverages DLL side-loading to launch a DLL backdoor.
The DLL implant (“7z-x64.dll”) has additionally been noticed performing hands-on-keyboard actions to conduct reconnaissance, arrange persistence, and retrieve extra payloads (“iscsiexe.dll”) from an FTP server (“47.237.15[.]197”). The first goal of “iscsiexe.dll” is to make sure the execution of a benign binary (“poweriso.exe”) that is dropped to sideload the backdoor.
Though the precise final-stage malware delivered as a part of the assault isn’t clear, it is assessed with excessive confidence that the tip objective is to deploy the Havoc implant.
TrueChaos’ hyperlinks to a Chinese language-nexus menace actor are primarily based on the noticed ways, equivalent to the usage of DLL side-loading, Alibaba Cloud, and Tencent for C2 infrastructure, and the truth that the identical sufferer was focused throughout the similar time-frame by ShadowPad, a classy backdoor extensively utilized by China-linked hacking teams.
On prime of that, the usage of Havoc has been attributed to a different Chinese language menace actor known as Amaranth-Dragon in intrusions geared toward authorities and legislation enforcement companies throughout Southeast Asia in 2025.
“The exploitation of CVE-2026-3502 didn’t require the attacker to compromise every endpoint individually,” Verify Level mentioned. “As a substitute, the attacker abused the trusted relationship between a central on-premises TrueConf server and its purchasers. By changing a reputable replace with a malicious one, they turned the product’s regular replace circulation right into a malware distribution channel throughout a number of related authorities networks.”
