TrueChaos the failure in the TrueConf update that turned your server into a massive back door

A campaign aimed at government agencies in South-East Asia has taken advantage of a serious vulnerability in TrueConf's video conferencing client to turn its update mechanism into a malware distribution channel. Cybersecurity researchers have baptized the operation as TrueChaos and the exploitation in the near state - day showed clearly how a failure in integrity verification can transform a maintenance function into a massive back door.

The problem, identified as CVE-2026-3502 and valued with a CVSS score of 7.8, is because the TrueConf client does not properly value the code that downloads the update server. This means that an attacker with control of the on-premises server can replace a legitimate installer with a manipulated one, and the client will run it without checking that it has been altered. TrueConf solved the weakness in the Windows version 8.5.3 (released early this month), so the first recommendation is to update the affected customers as soon as possible.

According to public analysis of the investigation, the actors who activated TrueChaos would have used that vector to deploy a malicious installer that, by means of DLL side-loading techniques, loaded a dynamic implant called "7z-x64.dll." This module showed active intrusion behavior: environment recognition, persistence establishment and additional load discharge from an identified FTP server (47.237.15 [.] 197). The observed artifacts include a second component, "issiexe.dll," whose apparent purpose was to ensure the execution of a recognized legitimate binary ("poweris.exe") to load the back door. Although the final state of the attack is not known with absolute precision, the analyses point with high probability to the implementation of the Havoc open control and control framework.

The campaign was related, with moderate confidence, to a Chinese link actor for the combination of tactics and artifacts: reuse of infrastructure in Alibaba Cloud and Tencent, use of DLL side-loading as a loading technique, and temporary coincidence with attempts against the same victim via ShadowPad, a backdoor with a history of intrusions attributed to groups of Chinese origin. ShadowPad was already documented in detail by security firms and is a good reminder of how sophisticated groups combine tools and vectors to achieve scale commitments; a good technical summary of ShadowPad can be seen in ESET analysis of this backdoors family ( WeLiveSecurity - ShadowPad).

What makes TrueChaos particularly dangerous is not so much the individual sophistication of each artifact, but the operational simplicity: it was not necessary to commit each workstation separately. By compromising TrueConf's central server, the attackers turned the chain of updates - a trust relationship between server and client - into an automatic distribution system of malicious code to connected networks.

To understand the technique used, you should remember what DLL side-loading is: many applications load dynamic libraries without specifying absolute routes, which allows an attacker to place a DLL with the same name in a location that the application trusts and unadvertently upload. MITRE documents this technique and its variants, and provides a useful guide for detection and mitigation ( MITRE ATT & CK - DLL Side-Loading).

If your organization uses TrueConf and manages an on-premises server, these are practical and priority actions: update Windows customers to version 8.5.3 or higher, review the integrity and access to the update server, investigate if there are artifacts with the observed names ("7z-x64.dll," "issiexe.dll," "poweris.exe") and search for outgoing connections or transfers from / to the indicated IP (47.237.15 [.] 197). It is also recommended to rotate credentials, audit accounts with privileges over the TrueConf server and check the logs for unusual downloads or changes in update packages.

In addition to the specific measures, this incident recalls a broader lesson on software security: the updating mechanisms must include solid integrity and authenticity controls(digital signatures, validated hash checks and secure transport), and the infrastructure that distributes software must be isolated and monitored in particular. CISA and other agencies have published guidelines on strengthening the software supply chain and how to protect the updating processes; this guidance is particularly useful for managers responsible for critical services ( CISA - Supply Chain Security).

For detection and response teams, it is appropriate to adapt rules and searches to campaign-associated patterns: running unexpected installers, loading DLL libraries with legitimate process suspicious names, FTP activity to unusual external directions and creating persistence by apparently harmless binaries. Vulnerability databases and centralized technical documentation (such as NVD and MITRE) are useful resources to correlate indicators and prioritize mitigation ( NVD - National Vulnerability Database).

Public research on TrueChaos reinforces the increasingly frequent narrative that the implicit trust in infrastructure parts can be exploited to gain massive access. A single maltreated server can mean hundreds of compromised stations if the operating model assumes that updates always come "in good faith." The conclusion is clear: the maintenance and safety of updating systems must be treated with the same priority as the protection of endpoints themselves. For more information on vulnerability analysis and the campaign, see specialized sources and technical material published by the research teams that monitor the threat, starting with the security laboratories and the official alerts of the supplier.

Reference links: general research page of Check Point ( Checkpoint Research), the official site of TrueConf ( TrueConf), documentation about DLL side-loading in MITRE ATT & CK ( MITRE ATT & CK), resources on supply chain security in CISA ( CISA) and a historical analysis of ShadowPad by ESET ( WeLiveSecurity).