What is the root cause of CVE-2026-3502?

The vulnerability stems from a missing integrity and authenticity check in the TrueConf client's update flow, allowing the execution of unverified packages.

What post-exploitation framework was used in Operation TrueChaos?

Attackers deployed the Havoc open-source post-exploitation framework to manage processes and execute commands on compromised systems.

How did attackers achieve privilege escalation?

Attackers used DLL search-order hijacking against the Microsoft iSCSI Initiator Control Panel (iscsicpl.exe) to bypass User Account Control (UAC).

What are the primary indicators of compromise for this attack?

Key indicators include the presence of poweriso.exe in C:\ProgramData\PowerISO\ and malicious DLLs like 7z-x64.dll or iscsiexe.dll.

Which TrueConf versions are patched against this zero-day?

TrueConf Windows client version 8.5.3, released in March 2026, includes the necessary fix for this vulnerability.

Attack

TrueConf Zero-Day Exploited in Targeted Government Attacks

published: April 2, 2026

Take action: If you use TrueConf for videoconferencing, update all Windows clients to version 8.5.3 immediately. Also check your systems for signs of compromise. Look for files like poweriso.exe or iscsiexe.dll in unexpected folders, and make sure any trueconf_windows_update.exe file has a valid digital signature before allowing it to run.

Learn More

TrueConf, a videoconferencing platform used by government and defense sectors, is the target of a zero-day campaign called "Operation TrueChaos".

Researchers from Check Point found that a China-nexus threat actor used a flaw to spread malware across government networks in Southeast Asia. The attack turns the software's trusted update mechanism into a way to send malicious payloads.

The flaw is tracked as CVE-2026-3502 (CVSS score 7.8) - missing integrity check in the TrueConf Windows client update mechanism that allows attackers to replace legitimate update packages with malicious files. Attackers gain control of the on-premises server to swap the update file, which the client then downloads and runs without verification. This flaw results in arbitrary code execution and full system takeover by deploying post-exploitation frameworks like Havoc.

The attack chain starts when a user opens the TrueConf client, often through a malicious link. The client sees a version mismatch and asks the user to download a "newer" version from the compromised on-premises server. Once downloaded, the weaponized update uses DLL sideloading to run a malicious 7z-x64.dll through a benign file. This process eventually sets up the Havoc post-exploitation framework, allowing attackers to run commands and keep access to the network.

This vulnerability affects TrueConf Windows client versions 8.1.0 through 8.5.2. Because TrueConf is designed for private local networks (LAN) and air-gapped environments, it is a primary choice for military and critical infrastructure operators. Attackers targeted these self-hosted deployments to bypass traditional perimeter defenses like email filtering or external firewalls.

TrueConf released version 8.5.3 in March 2026 to fix this flaw by adding update integrity checks. Organizations should update all Windows clients now and check for signs of a breach, such as the presence of poweriso.exe or iscsiexe.dll in unexpected folders. Administrators should also check that the trueconf_windows_update.exe file has a digital signature before letting it run.

TrueConf Zero-Day Exploited in Targeted Government Attacks

Read More
Hackers exploit Windows Defender SmartScreen flaw to spread …
Exploitation campaign targets multiple older critical vulnerabilities in …
CISA warns of ZKTeco BioTime flaw actively exploited …
Akira ransomware gang is exploiting old Cisco ASA/FTD …
Fortinet Patches Critical FortiOS SSO Authentication Bypass Under …