Check Point Research uncovered a targeted espionage campaign dubbed 'Operation TrueChaos' against Southeast Asian government entities. Attackers exploited a zero-day vulnerability (CVE-2026-3502, CVSS 7.8) in TrueConf's client update mechanism, which lacked integrity and authenticity checks. By compromising a centrally managed on-premises TrueConf server, the threat actor replaced legitimate update packages with malicious ones containing DLL sideloading components. The infection chain involved dropping a malicious 7z-x64.dll alongside a benign PowerISO executable, followed by hands-on-keyboard reconnaissance, UAC bypass via iscsicpl.exe DLL hijacking, and deployment of a Havoc C2 implant. The campaign is attributed with moderate confidence to a Chinese-nexus threat actor based on TTPs, use of Alibaba Cloud/Tencent infrastructure, and victimology. Indicators of compromise and hunting guidance are provided.
Table of contents
Key PointsIntroductionAbout TrueConfCVE-2026-3502 Root Cause AnalysisIn-The-Wild ExploitationAttributionConclusionHunting RecommendationsIndicators of CompromiseSort: