Attackers exploited a zero-day in TrueConfβs update mechanism (CVE-2026-3502) to replace legitimate updates with malicious executables and distribute them to all connected endpoints. Check Point links the TrueChaos campaign to Chinese-nexus activity and observed DLL sideloading, UAC bypass, reconnaissance, and likely use of the Havoc C2; TrueConf versions 8.1.0β8.5.2 were patched in 8.5.3 (March 2026). #TrueConf #Havoc
Keypoints
- A missing integrity check in TrueConfβs update mechanism (CVE-2026-3502) allowed malicious update replacement.
- The TrueChaos campaign exploited compromised on-premises TrueConf servers to push fake updates to all clients.
- The attack chain featured DLL sideloading, reconnaissance, UAC bypass, privilege escalation, and persistence.
- Key IoCs include poweriso.exe, 7z-x64.dll, %AppData%RoamingAdobeupdate.7z, and iscsiexe.dll, with victims including government and critical infrastructure organizations.