A high-severity safety flaw within the TrueConf consumer video conferencing software program has been exploited within the wild as a zero-day as a part of a marketing campaign concentrating on authorities entities in Southeast Asia dubbed TrueChaos.
The vulnerability in query is CVE-2026-3502 (CVSS rating: 7.8), an absence of integrity test when fetching software replace code, permitting an attacker to distribute a tampered replace, ensuing within the execution of arbitrary code. It has been patched within the TrueConf Home windows consumer beginning with model 8.5.3, launched earlier this month.
“The flaw stems from the abuse of TrueConf’s updater validation mechanism, permitting an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary information throughout all related endpoints,” Test Level mentioned in a report revealed in the present day.
In different phrases, an attacker who manages to realize management of the on-premises TrueConf server can substitute the replace bundle with a poisoned model, which then will get pulled by the consumer software put in on clients’ endpoints, owing to the truth that it doesn’t implement satisfactory validation to make sure that the server-provided replace has not been tampered with.
The TrueChaos marketing campaign has been discovered to weaponize this flaw within the replace mechanism to doubtless deploy the open-source Havoc command-and-control (C2) framework to susceptible endpoints. The exercise has been attributed with average confidence to a Chinese language-nexus menace actor.
Assaults exploiting the vulnerability had been first recorded by the cybersecurity firm at the start of 2026, with the implicit belief the consumer locations within the replace mechanism being weaponized to push a rogue installer that, in flip, leverages DLL side-loading to launch a DLL backdoor.
The DLL implant (“7z-x64.dll”) has additionally been noticed performing hands-on-keyboard actions to conduct reconnaissance, arrange persistence, and retrieve further payloads (“iscsiexe.dll”) from an FTP server (“47.237.15[.]197”). The first goal of “iscsiexe.dll” is to make sure the execution of a benign binary (“poweriso.exe”) that is dropped to sideload the backdoor.
Though the precise final-stage malware delivered as a part of the assault just isn’t clear, it is assessed with excessive confidence that the top purpose is to deploy the Havoc implant.
TrueChaos’ hyperlinks to a Chinese language-nexus menace actor are based mostly on the noticed techniques, corresponding to using DLL side-loading, Alibaba Cloud, and Tencent for C2 infrastructure, and the truth that the identical sufferer was focused inside the similar time-frame by ShadowPad, a classy backdoor extensively utilized by China-linked hacking teams.
On prime of that, using Havoc has been attributed to a different Chinese language menace actor referred to as Amaranth-Dragon in intrusions aimed toward authorities and legislation enforcement companies throughout Southeast Asia in 2025.
“The exploitation of CVE-2026-3502 didn’t require the attacker to compromise every endpoint individually,” Test Level mentioned. “As an alternative, the attacker abused the trusted relationship between a central on-premises TrueConf server and its purchasers. By changing a professional replace with a malicious one, they turned the product’s regular replace move right into a malware distribution channel throughout a number of related authorities networks.”
