TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks
هادي هي الترجمة ديال هاد التدوينة للدرايجة المغربية:
"TrueChaos": TrueConf Zero-Day Exploited to Target Southeast Asian Governments
TL;DR
A high-severity zero-day vulnerability in TrueConf video conferencing software (CVE-2026-3502) has been exploited by a Chinese-nexus threat actor dubbed "TrueChaos." By compromising on-premises servers, attackers distributed "poisoned" updates to spread malware—likely the Havoc C2 framework—across government networks in Southeast Asia.
A sophisticated cyberattack campaign has been identified leveraging a zero-day vulnerability in the TrueConf client video conferencing software. The campaign, named "TrueChaos" by researchers at Check Point, specifically targets government entities across Southeast Asia.
The attack stands out for its efficiency: rather than compromising individual workstations, the threat actors exploited the trusted relationship between a central server and its connected endpoints to distribute malware at scale.
The Vulnerability: CVE-2026-3502
The flaw at the heart of this campaign is CVE-2026-3502, which carries a CVSS score of 7.8.
The security hole exists within the TrueConf Windows client’s update mechanism. Specifically, the software lacks a proper integrity check when fetching application update code. This allows an attacker who has gained control of an on-premises TrueConf server to substitute a legitimate update package with a "poisoned" version.
Because the client application does not enforce adequate validation to ensure the server-provided update is authentic and untampered, it pulls and executes the malicious code, resulting in arbitrary code execution across all connected endpoints.
Anatomy of the "TrueChaos" Attack
According to Check Point, attacks exploiting this flaw began in early 2026. The attackers utilized the following multi-stage process:
- Server Compromise: The actor gains control of the on-premises TrueConf server.
- Poisoned Update: A rogue installer is pushed to the client application via the normal update flow.
- DLL Side-Loading: The rogue installer uses DLL side-loading to launch a backdoor implant named
7z-x64.dll. - Reconnaissance & Persistence: The implant performs hands-on-keyboard actions to scout the network and establish a foothold.
- Secondary Payload: The attackers retrieve additional payloads (such as
iscsiexe.dll) from an FTP server (47.237.15[.]197). - Final Stage: While the final malware is not definitively confirmed, researchers assess with high confidence that the goal is to deploy the Havoc command-and-control (C2) framework.
Attribution to Chinese-Nexus Actors
Check Point has attributed the TrueChaos campaign to a Chinese-nexus threat actor with moderate confidence. This assessment is based on several key indicators:
- Tactics and Infrastructure: The use of specific DLL side-loading techniques and the utilization of Alibaba Cloud and Tencent for C2 infrastructure.
- ShadowPad Overlap: The same victims were targeted during the same period by ShadowPad, a sophisticated backdoor heavily associated with Chinese hacking groups.
- Historical Precedent: The use of the Havoc framework mirrors a 2025 campaign by a Chinese actor known as Amaranth-Dragon, which also targeted Southeast Asian government and law enforcement agencies.
Mitigation and Patching
This vulnerability highlights the dangers of the "implicit trust" placed in internal update servers. "By replacing a legitimate update with a malicious one, [the attackers] turned the product’s normal update flow into a malware distribution channel," Check Point noted.
TrueConf has addressed this security flaw. The vulnerability is patched in the TrueConf Windows client starting with version 8.5.3, released earlier this month. Organizations using on-premises TrueConf solutions are urged to update their clients and servers immediately to prevent exploitation.
Source: The Hacker News - TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks
