TP-2026-0045 critical AI Draft C

Operation TrueChaos: TrueConf Update Hijack Against Southeast Asian Government Networks

Date March 31, 2026
Attack Type supply-chain Sector Government / International
Geography Southeast Asia
Threat Actor Chinese-nexus (unattributed)
Attribution A4
CVEs CVE-2026-3502
Confidence C

Summary

Operation TrueChaos is the name Check Point Research gave to a March 2026 intrusion cluster that abused the TrueConf Windows client update path in Southeast Asian government environments. The campaign centered on CVE-2026-3502, a flaw that allowed a compromised on-premises TrueConf server to offer a malicious client update without adequate integrity verification on the endpoint.

In the cases described publicly, the attacker used the trusted update relationship to deliver a trojanized installer that still advanced the TrueConf client version while also dropping malicious components for follow-on execution. Public reporting supports a narrow but high-impact supply-chain framing: the attacker did not compromise a global vendor build system, but it did compromise a customer-operated update source that served many downstream government users.

Technical Analysis

Check Point Research and the National Vulnerability Database described the core flaw as a trust failure in the TrueConf Windows client update mechanism. When a connected on-premises server advertised a newer client build, the endpoint could download the server-hosted package without sufficiently verifying its integrity or authenticity. That meant a threat actor who gained control of the on-premises server could substitute a malicious package in place of a legitimate update.

Check Point reported that the observed malicious package preserved the expected software-upgrade behavior while also dropping files used for DLL sideloading and follow-on activity. The reported chain included poweriso.exe, a malicious 7z-x64.dll, and later abuse of the auto-elevated iscsicpl.exe path. Check Point also linked the post-exploitation infrastructure to Havoc command-and-control activity with high confidence.

Attack Chain

Stage 1: On-Premises TrueConf Server Compromise

The public reporting supports initial control of a customer-operated TrueConf server rather than compromise of TrueConf’s central software build pipeline. That server-side access let the attacker change what connected clients received during routine update checks.

Stage 2: Trojanized Update Delivery

The attacker replaced the expected client update with a malicious package that still appeared to perform a normal version upgrade. Because the client trusted the server-provided package, downstream endpoints accepted the update path.

Stage 3: DLL Sideloading Setup

Check Point reported that the delivered package wrote poweriso.exe together with a malicious 7z-x64.dll, creating a DLL sideloading path during execution. That gave the attacker code execution while preserving the appearance of legitimate software activity.

Stage 4: Privilege Escalation and Follow-On Access

The observed chain then used the auto-elevated iscsicpl.exe path together with a malicious DLL to bypass User Account Control. Check Point linked the resulting post-exploitation activity to Havoc infrastructure used for further operator access.

Impact Assessment

The public reporting describes a governmental IT environment that served dozens of government entities inside one Southeast Asian country. Because many downstream users depended on the same on-premises TrueConf update source, compromise of that server created a scalable access path into multiple government endpoints.

The resulting impact extended beyond software tampering. Once the malicious update executed, the attacker gained a route for follow-on reconnaissance, privilege escalation, and persistent access in sensitive government environments. That makes the incident operationally significant even though the abused trust relationship was local to the victim deployment rather than global to every TrueConf customer.

Attribution

Check Point assessed the activity with moderate confidence as Chinese-nexus based on victimology, infrastructure, and observed tradecraft. The public evidence supports a regional espionage framing, but it does not name a specific public threat-actor cluster with sufficient confidence for a narrower attribution.

The safest public posture is therefore to keep the actor field at “Chinese-nexus (unattributed)” while preserving the attribution-confidence qualifier in body text rather than treating the activity as definitively tied to a named APT.

Timeline

2026-03-30 — NVD publishes the CVE entry

The National Vulnerability Database published CVE-2026-3502 and described the TrueConf update-path trust failure that allowed malicious packages to be served from a compromised on-premises server.

2026-03-31 — Check Point discloses Operation TrueChaos

Check Point Research published the campaign analysis, described the observed exploitation chain, and tied the activity to Southeast Asian government targets.

2026-04-01 — TrueConf releases version 8.5.3

TrueConf published its 8.5.3 release notes as the vendor fix path for the vulnerable client update behavior.

2026-04-02 — BleepingComputer amplifies the incident details

BleepingComputer summarized the Check Point findings and highlighted the use of the TrueConf zero-day to push malicious software updates.

Remediation & Mitigation

  1. Upgrade TrueConf Windows clients to version 8.5.3 or later.
  2. Audit on-premises TrueConf servers for unauthorized changes to client update files and expected update-package locations.
  3. Investigate endpoints where poweriso.exe, 7z-x64.dll, or unexpected update artifacts appeared in the reported execution path.
  4. Hunt for signs of follow-on activity associated with the reported DLL sideloading and Havoc-linked command-and-control behavior.
  5. Treat affected environments as possible espionage intrusions and rotate credentials, preserve forensic evidence, and expand host and network review beyond the initial update event.

Sources & References

zero-daysupply-chaintrueconfgovernmentsoutheast-asiahavoc-c2dll-sideloadingcisa-kev