CVE-2026-3502

Name of the Vulnerable Software and Affected Versions TrueConf versions 8.1.0 through 8.5.2

Description TrueConf Client downloads application update code and applies it without performing integrity or authenticity verification. An attacker capable of influencing the update delivery path, such as by compromising an on-premises TrueConf server, can substitute a tampered update payload. If this payload is executed or installed by the updater, it can result in arbitrary code execution in the context of the updating process or user.

This issue was exploited in a targeted campaign known as "TrueChaos" against dozens of government entities in Southeast Asia, including defense institutions and critical infrastructure operators. The attackers replaced legitimate update packages with weaponized installers to deploy the Havoc C2 framework and ShadowPad for espionage, reconnaissance, and long-term persistence. Technical exploitation involved DLL sideloading (loading a malicious 7z-x64.dll via legitimate executables), UAC bypass (abusing iscsicpl.exe via PATH manipulation to load iscsiexe.dll), and the use of trueconf windows update.exe to distribute the payload.

Recommendations Update TrueConf clients and servers to version 8.5.3 or later. Validate that update binaries are code-signed and match vendor-provided checksums. Isolate and harden on-premises TrueConf update servers, restrict administrative access, and implement strict network egress controls. Enable EDR to monitor for suspicious process chains (e.g., trueconf.exe -> trueconf windows update.exe -> trueconf windows update.tmp) and DLL sideloading. Block known malicious C2 IPs: 43.134.90.60, 43.134.52.221, and 47.237.15.197. Rotate credentials and enforce multi-factor authentication (MFA) for service accounts.