A high-severity flaw (CVE-2026-3502) in TrueConfβs Windows client updater was exploited in the wild to distribute tampered updates and execute arbitrary code across connected endpoints. The TrueChaos campaign, linked to a Chinese-nexus threat actor, weaponized the bug to deploy DLL side-loading implants and likely the Havoc C2 framework against government targets in Southeast Asia. #TrueChaos #Havoc
Keypoints
- CVE-2026-3502 (CVSS 7.8) allows attackers to distribute tampered updates due to lack of integrity checks in TrueConfβs updater.
- An attacker who controls an on-premises TrueConf server can push a malicious update to all connected clients.
- TrueChaos has exploited the flaw to deliver a DLL backdoor via DLL side-loading (7z-x64.dll) and retrieve additional payloads (iscsiexe.dll) from an FTP server.
- The campaign likely aims to deploy the Havoc C2 framework and uses poweriso.exe to sideload the backdoor.
- Activity is linked to a Chinese-nexus threat actor with overlaps to ShadowPad activity; TrueConf patched the issue in Windows client v8.5.3.
Read More: https://thehackernews.com/2026/03/trueconf-zero-day-exploited-in-attacks.html