Chinese APT Hijacked TrueConf Updates to Backdoor Governments

Check Point Research uncovered a sophisticated espionage campaign that turned trusted software updates into a malware delivery mechanism. Dubbed Operation TrueChaos, the campaign exploited a zero-day vulnerability in the TrueConf video conferencing platform to compromise multiple Southeast Asian government agencies.

The attackers didn't need phishing emails or stolen credentials. They abused the trust relationship between TrueConf's on-premises server and its connected clients, distributing malware disguised as legitimate software updates. Every endpoint configured to receive updates from the compromised server became a target.

The Vulnerability

The flaw, tracked as CVE-2026-3502, earned a CVSS score of 7.8. The TrueConf client failed to verify the integrity of updates fetched from its central server. An attacker who compromised an on-premises TrueConf server could replace legitimate updates with malicious payloads, achieving code execution across the entire connected network.

TrueConf patched the vulnerability in Windows client version 8.5.3, released earlier this month. Organizations running older versions should update immediately.

Attack Chain

According to Check Point's analysis, the attackers first gained control of at least one government's on-premises TrueConf server. From there, they pushed a poisoned update that appeared legitimate to connected clients.

The malicious update performed the expected version upgrade while quietly dropping two additional files:

• poweriso.exe - A legitimate, signed executable used for DLL side-loading
• 7z-x64.dll - The malicious payload masquerading as a 7-Zip library

This technique exploits how Windows loads DLLs. When poweriso.exe runs, it loads the malicious 7z-x64.dll from the same directory, giving attackers code execution under the guise of a trusted application. We've seen similar DLL side-loading techniques in other campaigns targeting enterprise environments.

The malware performed initial reconnaissance, established persistence, and retrieved additional payloads. The final stage deployed the Havoc command-and-control framework—an open-source post-exploitation tool that's become increasingly popular with threat actors.

Attribution

Check Point assessed with moderate-to-high confidence that a Chinese-nexus threat actor conducted the operation. The attribution rests on observed tactics, techniques, and procedures (TTPs), command-and-control infrastructure patterns, and the victimology focusing on Southeast Asian government targets.

The targeting aligns with known Chinese strategic interests in the region. Southeast Asian governments have been consistent targets of Chinese cyber espionage, particularly around territorial disputes, trade negotiations, and diplomatic communications.

Indicators of Compromise

Check Point released limited IOCs. The campaign used FTP server 47.237.15[.]197 for command-and-control communications. Organizations can check network logs for connections to this address.

The malicious DLL (7z-x64.dll) and the specific update mechanism abuse provide additional detection opportunities for incident responders investigating potential compromises.

Broader Implications

Operation TrueChaos represents a troubling evolution in supply chain attacks. Rather than compromising the software vendor directly, attackers targeted the on-premises deployment. This approach bypasses many supply chain defenses focused on protecting vendor build pipelines.

Enterprise video conferencing platforms present attractive targets. They're widely deployed, run with elevated privileges, and maintain persistent connections to central servers. The COVID-era shift to remote work made these platforms essential infrastructure—and expanded the attack surface considerably.

The attack also highlights risks in update mechanisms. Software that automatically fetches and executes code from internal servers creates implicit trust relationships. If attackers compromise the server, that trust becomes a liability.

Defensive Recommendations

Organizations using TrueConf should:

1. Update immediately to version 8.5.3 or later
2. Audit server access - Review who has administrative access to on-premises TrueConf infrastructure
3. Monitor for IOCs - Check historical network logs for connections to the identified C2 address
4. Implement network segmentation - Limit which systems can reach TrueConf servers
5. Enable enhanced logging - Capture update activity and DLL loading events for forensic purposes

More broadly, this incident should prompt review of other internally-managed software that implements automatic updates. The same attack pattern could apply to any application that trusts updates from an on-premises server without cryptographic verification.

Supply chain security has focused heavily on software vendors. Operation TrueChaos demonstrates that enterprise deployments create their own supply chain risks—ones that sophisticated adversaries are increasingly willing to exploit.