Check Point Research has disclosed Operation TrueChaos, a targeted espionage campaign that exploited a zero-day vulnerability in the TrueConf video conferencing platform to push malicious updates to government networks across Southeast Asia. The campaign was active at the start of 2026 and is assessed with moderate confidence as tied to a Chinese-nexus threat actor.
The Vulnerability: CVE-2026-3502
The zero-day, tracked as CVE-2026-3502 with a CVSS score of 7.8, resides in TrueConf’s on-premises update validation mechanism. When a TrueConf client starts, it checks its connected on-premises server for available updates. The flaw stems from the absence of integrity and authenticity checks in that update flow. An attacker who controls an on-premises TrueConf server can replace the expected update package with an arbitrary executable and distribute it to every connected client across the network, all under the guise of a legitimate software update. The vulnerability affects TrueConf client versions 8.1.0 through 8.5.2.
TrueConf is used by more than 100,000 organizations globally, with a heavy presence in government, military, and critical infrastructure environments where its air-gapped, on-premises deployment model is valued for data isolation. That same architecture made it an ideal vector: compromising one central server gave the attacker reach across every connected endpoint in the affected government’s network.
How the Attack Unfolded
In the observed campaign, attackers had already replaced the update package on a government-operated TrueConf server before victims interacted with it. A link sent to targets launched the TrueConf client and presented a routine update prompt. The downloaded package appeared to upgrade the client from version 8.5.1 to 8.5.2 successfully, but alongside legitimate components it silently dropped a malicious DLL that was loaded through DLL side-loading.
Following initial execution, the attackers conducted hands-on-keyboard reconnaissance and modified registry values to enable UAC bypass via the legitimate Windows binary iscsicpl.exe. The attacker placed a malicious iscsiexe.dll in a user-controlled directory referenced through the user’s %PATH%, causing Windows to load it in the context of the elevated iscsicpl.exe process, resulting in privilege escalation without a UAC prompt. Network communication to attacker-controlled infrastructure running the Havoc post-exploitation framework was observed. Havoc is an open-source command-and-control framework capable of executing commands, managing processes, manipulating Windows tokens, executing shellcode, and deploying additional payloads. Check Point assessed with high confidence that Havoc was the final-stage payload.
Notably, the same victim was targeted by ShadowPad malware within the same timeframe, suggesting possible overlap between multiple China-aligned operators or shared access to the same target environment.
Chinese Nexus Attribution
Check Point Research attributes Operation TrueChaos to a Chinese-nexus threat actor with moderate confidence. The assessment is based on TTPs consistent with Chinese-nexus operations including DLL side-loading, the use of Alibaba Cloud and Tencent hosting for command-and-control infrastructure, and victimology that aligns with Chinese strategic interests in Southeast Asia. The Havoc post-exploitation framework has also appeared in other Chinese-nexus activity documented by Check Point Research, including the recently disclosed Amaranth Dragon campaign.
Patch and Detection Guidance
Check Point Research responsibly disclosed CVE-2026-3502 to TrueConf, which issued a fix in version 8.5.3 of the Windows client, released in March 2026. Organizations running on-premises TrueConf deployments should update immediately.
Key indicators of compromise to hunt for include an unsigned trueconf_windows_update.exe, the presence of C:\ProgramData\PowerISO\poweriso.exe, a registry autorun entry at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateCheck pointing to that path, and recent creation or deletion of files including update.7z, iscsiexe.dll, or rom.dat. The full technical analysis, IOC list, and hunting recommendations are available in Check Point Research’s published report.
