**Zero-Day Vulnerability Exploited: Hackers Push Malicious Software Updates on TrueConf Users**
A recent wave of attacks has targeted video conferencing platform TrueConf, exploiting a previously unknown vulnerability to push malicious software updates on connected endpoints. The zero-day flaw, tracked as CVE-2026-3502, allows attackers to execute arbitrary files on all connected devices, with potentially devastating consequences for organizations that rely on the platform.
TrueConf is a popular video conferencing solution used by over 100,000 organizations worldwide, including government agencies, military forces, and critical infrastructure operators. The platform's self-hosted server model makes it particularly vulnerable to attacks, as attackers can exploit vulnerabilities in the software's update mechanism to push malicious updates to all connected clients.
**The Attack Chain**
According to CheckPoint researchers, the attack chain begins with an attacker gaining control of a TrueConf server, which they then use to replace legitimate updates with malicious executables. The malicious files are presented as the current application version, and because the client trusts the server-provided update without proper validation, the malicious file can be delivered and executed under the guise of a legitimate TrueConf update.
The flaw affects TrueConf versions 8.1.0 through 8.5.2, but was fixed in version 8.5.3 released in March 2026 after CheckPoint reported it to the vendor. However, the vulnerability's exploitation has already had significant consequences, with attacks targeting government entities in Southeast Asia.
**Attribution and Impact**
CheckPoint researchers have moderate confidence in attributing the TrueChaos activity to a Chinese-nexus threat actor, based on tactics, techniques, and procedures (TTPs), as well as the use of Alibaba Cloud and Tencent for hosting command and control (C2) infrastructure. The attacks spread through a centrally managed government TrueConf server, impacting multiple agencies, pushing malicious files via fake updates to all connected TrueConf clients.
The infection chain includes DLL sideloading and the deployment of reconnaissance tools (tasklist, tracert), privilege escalation (UAC bypass via iscicpl.exe), and the establishment of persistence. Although researchers were unable to recover the final payload, network traffic pointed to Havoc C2 infrastructure, making it highly likely that the Havoc implant was used.
**Indicators of Compromise**
CheckPoint's report shares indicators of compromise (IoCs) as well as multiple infection signals. Strong signs of a breach include the presence of poweriso.exe or 7z-x64.dll, and suspicious artifacts like %AppData%\Roaming\Adobe\update.7z or iscsiexe.dll.
**Conclusion**
The exploitation of the TrueConf zero-day vulnerability serves as a stark reminder of the importance of regular security updates and patches in preventing cyber attacks. Organizations that rely on video conferencing platforms must ensure they are using the latest versions of software, and that their systems are properly configured to prevent such attacks.
In addition, cybersecurity professionals should remain vigilant for signs of a breach, including indicators of compromise shared by CheckPoint researchers. By staying informed and proactive, organizations can reduce the risk of falling victim to sophisticated cyber attacks like TrueChaos.
**Recommendations**
1. Ensure you are using the latest version of TrueConf software (version 8.5.3 or higher). 2. Regularly monitor your systems for signs of a breach, including indicators of compromise shared by CheckPoint researchers. 3. Implement robust security measures to prevent DLL sideloading and privilege escalation attacks.
By following these recommendations, organizations can reduce the risk of falling victim to cyber attacks like TrueChaos, and ensure their video conferencing platforms are secure against future threats.