TrueConf Update Integrity Bypass — Supply Chain Code Execution

Severity Assessment

• Exploitability: 7/10 — Requires prior compromise of on-premises TrueConf server; once achieved, all connected clients are automatically exposed
• Impact: 8.5/10 — Full code execution on all client systems that pull the tampered update; Havoc C2 enables persistent espionage access
• Weaponization Risk: 8/10 — Actively weaponized by Chinese-nexus actor in targeted government espionage campaign; CISA KEV listed
• Patch Urgency: 8.5/10 — CISA mandatory remediation by April 16, 2026; organizations with on-premises TrueConf in high-risk sectors at elevated risk
• Detection Coverage: 6.5/10 — Malicious DLLs and Havoc C2 beaconing patterns are detectable; initial update tampering on server may go unnoticed without file integrity monitoring

Summary

CVE-2026-3502 is a high-severity vulnerability in TrueConf’s video conferencing client where the software update mechanism fails to verify the integrity of downloaded update files before executing them (CWE-494). A Chinese-nexus threat actor (moderate confidence attribution) exploited this as a zero-day in a campaign dubbed “TrueChaos” targeting Southeast Asian government networks starting in early 2026.

By compromising an on-premises TrueConf server, attackers replaced legitimate updates with malicious payloads, turning the trusted update channel into a malware distribution mechanism. The payload deployed the Havoc C2 framework via DLL side-loading using malicious components 7z-x64.dll (backdoor) and iscsiexe.dll (payload retriever). C2 infrastructure was hosted on Tencent and Alibaba Cloud.

TrueConf released a patch (version 8.5.3) in early March 2026, and CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on April 2, 2026, with a remediation deadline of April 16.

Exploit Chain

Stage 1: Server Compromise

Attacker gains access to the on-premises TrueConf server via phishing, credential theft, or an unpatched vulnerability on the server host.

Stage 2: Update Package Tampering

The legitimate software update package is replaced with a malicious version on the TrueConf server. The malicious payload includes DLL side-loading components (7z-x64.dll and iscsiexe.dll).

Stage 3: Client Pull Without Integrity Verification

TrueConf clients automatically fetch the tampered update from the on-premises server without any signature validation or hash comparison. No integrity check is performed before execution.

Stage 4: DLL Side-Loading and Payload Execution

The malicious update executes and side-loads the backdoor DLLs via DLL search order hijacking. 7z-x64.dll establishes the persistent backdoor; iscsiexe.dll retrieves additional payloads from the attacker’s infrastructure.

Stage 5: C2 Establishment

The Havoc C2 framework beacons to attacker infrastructure on Tencent/Alibaba Cloud (47.237.15[.]197:8080), establishing persistent command-and-control access for espionage operations.

Detection Guidance

• Monitor TrueConf update processes for unexpected DLL loading patterns; alert on 7z-x64.dll or iscsiexe.dll loading in TrueConf directories.
• Alert on outbound connections from TrueConf clients to Tencent/Alibaba Cloud IP ranges, particularly beacon patterns to port 8080.
• Implement file integrity monitoring on the on-premises TrueConf server update directories; alert on hash mismatches against vendor-published checksums.
• Deploy Havoc C2 framework network signatures and endpoint behavioral rules to detect post-exploitation beaconing.
• Scan endpoints for presence of 7z-x64.dll and iscsiexe.dll in unexpected TrueConf process directories.

Indicators of Compromise

• IP 47.237.15[.]197 — Havoc C2 FTP server hosted on Tencent/Alibaba Cloud infrastructure
• 7z-x64.dll — malicious backdoor DLL side-loaded via TrueConf update process
• iscsiexe.dll — payload retriever DLL component deployed alongside backdoor
• Havoc C2 POST beaconing to attacker infrastructure port 8080 from TrueConf client processes
• Tampered update packages on on-premises TrueConf server with hash mismatch against vendor checksums

Recommended Actions

1. Upgrade to TrueConf 8.5.3+ — Apply vendor patch immediately; version 8.5.3 adds cryptographic validation of update packages.
2. Audit On-Premises Server Integrity — Review TrueConf server update directories for tampered packages; compare hashes against vendor-published values.
3. Block C2 Infrastructure — Block/alert outbound connections to 47.237.15[.]197 and Tencent/Alibaba Cloud ranges from endpoint hosts.
4. DLL Side-Load Detection — Monitor for 7z-x64.dll and iscsiexe.dll in TrueConf process directories; implement application allowlisting.
5. Enforce Update Code-Signing — Validate all software update packages cryptographically before execution across all update channels.

Disclosure Timeline

2026-01 (Early) — TrueChaos Campaign Begins

Chinese-nexus threat actor begins exploiting CVE-2026-3502 as a zero-day against Southeast Asian government networks, establishing persistent access via compromised update mechanism.

2026-03-01 — Vulnerability Disclosed

Vulnerability disclosed based on campaign discovery during incident response of affected SE Asian government networks.

2026-03 (Early) — Patch Released

TrueConf releases patched version 8.5.3 addressing the update integrity verification vulnerability, adding cryptographic validation of update packages.

2026-03-15 — Media Coverage

The Hacker News publishes comprehensive report on the TrueChaos campaign with Chinese-nexus attribution and technical analysis of the exploitation chain.

2026-04-02 — CISA KEV Addition

CISA adds CVE-2026-3502 to Known Exploited Vulnerabilities catalog. Remediation deadline set for April 16, 2026.

Sources & References

• CISA: Known Exploited Vulnerabilities Catalog — CISA, 2026-04-02
• National Vulnerability Database: CVE-2026-3502 — National Vulnerability Database, 2026-03-01
• TrueConf: Security Advisory CVE-2026-3502 Update Integrity — TrueConf, 2026-03-01
• The Hacker News: TrueConf Zero-Day Exploited in TrueChaos Campaign Against SE Asian Government Networks — The Hacker News, 2026-03-15
• SecurityWeek: TrueConf Zero-Day Exploited in Asian Government Attacks — SecurityWeek, 2026-03-15