InfoSecBulletin Cybersecurity for mankind
A critical security flaw in the TrueConf video call software has been used in real attacks. It is a zero-day threat in a campaign aimed at government organizations in Southeast Asia called TrueChaos.
The flaw is traced as CVE-2026-3502 . There is no check for integrity when getting application update code. This lets an attacker send a fake update that can run unwanted code. It has been fixed in the TrueConf Windows client from version 8.5.3, which came out earlier this month.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
“The flaw stems from the abuse of TrueConf’s updater validation mechanism, allowing an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints,” Check Point said in a report.
The TrueChaos campaign has used this flaw in the update system to possibly send the open-source Havoc command-and-control (C2) tool to weak points. This action is believed, with moderate confidence, to be linked to a threat actor from China.
Attacks using the flaw were first reported by the cybersecurity firm Checkpoint at the start of 2026. Attacker took advantage of the trust users have in the update system to send a bad installer that uses DLL side-loading to start a DLL backdoor.
TrueConf Zero-Day
The DLL implant (“7z-x64.dll”) has also been observed performing hands-on-keyboard actions to conduct reconnaissance, set up persistence, and retrieve additional payloads (“iscsiexe.dll”) from an FTP server (“47.237.15[.]197”). The primary objective of “iscsiexe.dll” is to ensure the execution of a benign binary (“poweriso.exe”) that’s dropped to sideload the backdoor.
The exact malware used in the last stage of the attack is not known, but it’s believed with high confidence that the aim is to install the Havoc implant.
The report shows that TrueChaos is likely to be connected to a Chinese threat group based on their tactics. They use methods like DLL side-loading, Alibaba Cloud, and Tencent for their command and control network. Also, the same victim was attacked around the same time by ShadowPad, a complex backdoor often used by Chinese hackers.
The use of Havoc has also been linked to another Chinese group called Amaranth-Dragon. They are targeting government and law enforcement agencies in Southeast Asia in 2025.
“The exploitation of CVE-2026-3502 did not require the attacker to compromise each endpoint individually,” Check Point said. “Instead, the attacker abused the trusted relationship between a central on-premises TrueConf server and its clients.
By replacing a legitimate update with a malicious one, they turned the product’s normal update flow into a malware distribution channel across multiple connected government networks.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) put CVE-2026-3502 on its list of known security issues. They require federal agencies to fix it by April 16, 2026.
