Ethical Hacking News
A newly discovered zero-day vulnerability has been exploited by Chinese threat actors targeting Southeast Asian government networks using TrueConf video conferencing software. Understanding the implications of this critical vulnerability is crucial for implementing effective patching strategies and staying ahead of emerging threats.
The TrueConf video conferencing software has a critical zero-day vulnerability (CVE-2026-3502) that can be exploited by attackers. The vulnerability allows an attacker to distribute tampered updates, resulting in the execution of arbitrary code. The flaw is attributed to a lack of integrity checks when fetching application update code, which was leveraged by attackers to create a backdoor dubbed "TrueChaos." Check Point identified the vulnerability and its exploitation, stating that it required no individual endpoint compromise due to the trusted relationship between the server and clients. The attack is part of the TrueChaos campaign, which also uses the open-source Havoc command-and-control framework on vulnerable endpoints. The primary objective is to deploy the Havoc implant, with connections to a Chinese-nexus threat actor based on observed tactics and techniques. Organizations using TrueConf software should implement a patching strategy, as the vulnerability has been patched in version 8.5.3.
The recent disclosure of a critical zero-day vulnerability in the TrueConf video conferencing software has sent shockwaves through the cybersecurity community. The vulnerability, identified as CVE-2026-3502 and boasting a CVSS score of 7.8, has been successfully exploited by threat actors in a campaign targeting government entities in Southeast Asia.
The vulnerability itself is attributed to a lack of integrity checks when fetching application update code, allowing an attacker to distribute tampered updates that can result in the execution of arbitrary code. This weakness was leveraged by attackers to create a backdoor dubbed "TrueChaos," which has been linked to a Chinese-nexus threat actor.
According to Check Point, a cybersecurity company that first identified the vulnerability and its exploitation, the flaw stems from the abuse of TrueConf's updater validation mechanism. This mechanism allows an attacker who controls the on-premises TrueConf server to distribute malicious updates across all connected endpoints, as there is inadequate validation to ensure that the server-provided update has not been tampered with.
In a statement released by Check Point, it was noted that "The exploitation of CVE-2026-3502 did not require the attacker to compromise each endpoint individually. Instead, the attacker abused the trusted relationship between a central on-premises TrueConf server and its clients." This highlights how easily an attacker can exploit this vulnerability, given the trust placed in the update mechanism.
Attacks utilizing this vulnerability have been found to be part of the TrueChaos campaign, which has also weaponized the open-source Havoc command-and-control (C2) framework on vulnerable endpoints. The activity associated with the campaign is attributed to a Chinese-nexus threat actor and involves the deployment of the DLL side-loading technique to launch the DLL backdoor.
The DLL implant, referred to as "7z-x64.dll," was observed performing hands-on-keyboard actions to conduct reconnaissance, set up persistence, and retrieve additional payloads from an FTP server. The primary objective is to ensure the execution of a benign binary ("poweriso.exe") that in turn leverages DLL side-loading to launch the backdoor.
Although the exact final-stage malware delivered as part of the attack is not entirely clear, it has been assessed with high confidence that the end goal is to deploy the Havoc implant. The connections to a Chinese-nexus threat actor are primarily based on observed tactics such as the use of DLL side-loading, Alibaba Cloud, and Tencent for C2 infrastructure, and the fact that the same victim was targeted by ShadowPad, a sophisticated backdoor widely used by China-linked hacking groups.
The use of Havoc has also been linked to another Chinese threat actor called Amaranth-Dragon in intrusions aimed at government and law enforcement agencies across Southeast Asia in 2025. This highlights the interconnected nature of threat actors within the region, as well as their tactics and techniques.
In light of this critical vulnerability's successful exploitation, it is crucial for organizations utilizing TrueConf video conferencing software to ensure they implement a patching strategy, as the vulnerability has been patched in the TrueConf Windows client starting with version 8.5.3, released earlier this month.
The incident serves as a reminder of the risks associated with the abuse of trusted update mechanisms and highlights the importance of vigilance in cybersecurity. As threat actors continue to evolve their tactics and exploit new vulnerabilities, it is essential for organizations to stay informed about emerging threats and implement proactive measures to protect themselves against potential attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Zero-Day-Exploitation-in-Southeast-Asian-Government-Networks-ehn.shtml
https://thehackernews.com/2026/03/trueconf-zero-day-exploited-in-attacks.html
Published: Tue Mar 31 12:12:09 2026 by llama3.2 3B Q4_K_M
