• Home
  • cyber
  • TrueConf and Government entities in Southeast Asia: TrueConf Vulnerability Under Active Exploitation in Southeast Asia Government Attacks
cyber Vulnerability

TrueConf and Government entities in Southeast Asia: TrueConf Vulnerability Under Active Exploitation in Southeast Asia Government Attacks

Apr 1, 2026 2 min read
TrueConf and Government entities in Southeast Asia: TrueConf Vulnerability Under Active Exploitation in Southeast Asia Government Attacks

Critical Zero-Day in TrueConf Video Conferencing Exploited in Targeted Espionage Campaign

Check Point Research uncovered a high-severity zero-day vulnerability (CVE-2026-3502, CVSS 7.8) in the TrueConf video conferencing client, actively exploited in a campaign dubbed Operation TrueChaos against government entities in Southeast Asia. The flaw stems from insufficient security checks in the application’s update mechanism, allowing attackers to distribute malicious payloads via the trusted update system.

TrueConf, widely used by government, military, and critical infrastructure sectors, operates on secure, on-premises networks. However, the vulnerability enables threat actors to compromise the central TrueConf server and replace legitimate updates with weaponized packages. When clients fetch the update, they unknowingly execute the malicious files, leading to system compromise.

In observed attacks, the threat actor gained access to a government IT department’s TrueConf server, infecting connected endpoints across multiple agencies. The attack chain involved DLL side-loading, network reconnaissance, and privilege escalation, culminating in the deployment of the Havoc post-exploitation framework. Key indicators include unsigned update files, the presence of poweriso.exe or 7z-x64.dll in the ProgramData folder, and unauthorized registry modifications.

Researchers attribute the campaign to a Chinese-nexus threat actor, citing tactics, infrastructure, and victim profiles consistent with known espionage operations. TrueConf has released version 8.5.3 to patch the vulnerability. Defenders are advised to monitor for compromise indicators, including the listed malicious files and command-and-control (C2) IP addresses.

Source: https://gbhackers.com/trueconf-vulnerability-under-active-exploitation/

US-ASEAN Business Council cybersecurity rating report: https://www.rankiteo.com/company/usaseanbusiness

TrueConf cybersecurity rating report: https://www.rankiteo.com/company/trueconf

"id": "USATRU1775032190",
"linkid": "usaseanbusiness, trueconf",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Government/Military',
                        'location': 'Southeast Asia',
                        'name': 'Government entities in Southeast Asia',
                        'type': 'Government'}],
 'attack_vector': 'Malicious update distribution via trusted update mechanism',
 'description': 'Check Point Research uncovered a high-severity zero-day '
                'vulnerability (CVE-2026-3502, CVSS 7.8) in the TrueConf video '
                'conferencing client, actively exploited in a campaign dubbed '
                '*Operation TrueChaos* against government entities in '
                'Southeast Asia. The flaw stems from insufficient security '
                'checks in the application’s update mechanism, allowing '
                'attackers to distribute malicious payloads via the trusted '
                'update system. The attack chain involved DLL side-loading, '
                'network reconnaissance, and privilege escalation, culminating '
                'in the deployment of the *Havoc* post-exploitation framework.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage to '
                                       'TrueConf',
            'operational_impact': 'System compromise, unauthorized access to '
                                  'government networks',
            'systems_affected': 'TrueConf video conferencing clients and '
                                'connected endpoints'},
 'initial_access_broker': {'entry_point': 'TrueConf server compromise',
                           'high_value_targets': 'Government IT departments, '
                                                 'connected endpoints'},
 'motivation': 'Espionage',
 'post_incident_analysis': {'corrective_actions': 'Patch released (TrueConf '
                                                  '8.5.3), monitoring for '
                                                  'compromise indicators',
                            'root_causes': 'Insufficient security checks in '
                                           "TrueConf's update mechanism"},
 'recommendations': 'Defenders are advised to monitor for compromise '
                    'indicators, including malicious files (e.g., '
                    '*poweriso.exe*, *7z-x64.dll*) and unauthorized registry '
                    'modifications, and apply the TrueConf 8.5.3 patch.',
 'references': [{'source': 'Check Point Research'}],
 'response': {'enhanced_monitoring': 'Monitor for compromise indicators '
                                     '(malicious files, C2 IP addresses)',
              'remediation_measures': 'TrueConf released version 8.5.3 to '
                                      'patch the vulnerability',
              'third_party_assistance': 'Check Point Research'},
 'threat_actor': 'Chinese-nexus threat actor',
 'title': 'Critical Zero-Day in TrueConf Video Conferencing Exploited in '
          'Targeted Espionage Campaign',
 'type': 'Zero-Day Exploitation',
 'vulnerability_exploited': 'CVE-2026-3502 (CVSS 7.8)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.