Check Point Research disclosed Operation TrueChaos yesterday — a targeted campaign by a suspected Chinese-nexus threat actor that exploited a zero-day in TrueConf’s Windows client to backdoor government agencies across Southeast Asia.

The vulnerability

CVE-2026-3502 (CVSS 7.8) is a missing integrity check in TrueConf’s application update mechanism. The client blindly trusts whatever the on-premises TrueConf server tells it to install. No signature verification, no hash validation — just fetch and execute.

An attacker who compromises a single TrueConf server gets code execution on every connected endpoint for free. That turns a video conferencing platform into a malware distribution channel.

The attack chain

The threat actor gained access to a central TrueConf server operated by a government IT organization. From there, the kill chain was straightforward:

  1. Replace the legitimate client update (trueconf_windows_update.exe) with a trojanized version
  2. The rogue installer drops a malicious DLL (7z-x64.dll) that gets loaded via DLL sideloading
  3. The backdoor performs recon, establishes persistence, and pulls additional payloads from an FTP server
  4. A second-stage implant (iscsiexe.dll) sideloads through a legitimate binary (poweriso.exe) to deploy the Havoc C2 framework

Every agency connected to that server — and trusting its updates — was automatically compromised. One server, many victims.

Attribution

Check Point assesses with moderate confidence that this is a Chinese-nexus operation. The indicators line up: DLL sideloading is a signature TTP, the C2 infrastructure sits on Alibaba Cloud and Tencent hosting, and the targeting of Southeast Asian government entities fits the strategic interest profile.

The use of Havoc — an open-source C2 framework — is notable. It’s increasingly popular among APT groups because it’s free, extensible, and blends in with red team activity.

Why this matters

This is a textbook software supply chain attack, but against on-premises infrastructure rather than a public package registry. Organizations running self-hosted collaboration tools often assume their update pipeline is safe because it’s internal. TrueChaos proves that assumption wrong.

The attack also highlights a growing pattern: threat actors are targeting the management plane of enterprise software. Control the server, control the fleet.

What to do

  1. Update TrueConf immediately — version 8.5.3 patches CVE-2026-3502
  2. Audit your TrueConf server — check for unauthorized access, unexpected configuration changes, or tampered update packages
  3. Hunt for IOCs — look for 7z-x64.dll and iscsiexe.dll sideloading activity, connections to Alibaba Cloud and Tencent IP ranges from internal hosts
  4. Review update trust models — if your software blindly trusts an internal server for updates, assume that trust can be abused
  5. If you don’t use TrueConf, take this as a prompt to audit the update mechanisms of whatever on-prem collaboration tools you do run