CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

TrueConf zero-day (CVE-2026-3502) exploited to deliver Havoc C2 payloads via malicious software updates

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Actors leveraged a zero-day vulnerability (CVE-2026-3502) in the TrueConf video conferencing platform to replace legitimate software updates with malicious executables on self-hosted servers, thereby distributing payloads to all connected endpoints. The flaw, affecting versions 8.1.0–8.5.2, resides in an absence of integrity checks within the update mechanism, enabling attackers to serve fake updates and execute arbitrary code with client trust. Targeted entities include government agencies in Southeast Asia, with infections observed since January 2026 via the TrueChaos campaign. Impact includes lateral movement, privilege escalation via UAC bypass, and likely deployment of the Havoc C2 implant for further compromise.

Timeline

  1. 02.04.2026 00:35 1 articles · 1h ago

    TrueConf zero-day exploited to distribute Havoc C2 payloads via malicious software updates

    Zero-day vulnerability CVE-2026-3502 in TrueConf’s update mechanism was exploited to replace legitimate updates with malicious executables on self-hosted servers. Starting January 2026, the TrueChaos campaign delivered these fake updates to government agencies in Southeast Asia, achieving code execution on all connected clients. Infections followed a chain including DLL sideloading, reconnaissance, privilege escalation via UAC bypass, and deployment of the Havoc C2 framework for continued compromise.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2026-3502 is a medium-severity flaw due to missing integrity checks in the TrueConf update mechanism, allowing replacement of legitimate updates with malicious binaries.

    First reported: 02.04.2026 00:35
    1 source, 1 article
    Show sources

  • The vulnerability affects TrueConf versions 8.1.0 through 8.5.2; vendor patch issued in version 8.5.3 (March 2026).

    First reported: 02.04.2026 00:35
    1 source, 1 article
    Show sources

  • TrueConf is primarily used in self-hosted, closed environments; over 100,000 organizations adopted the platform during the COVID-19 pandemic, including military, government, energy, and air traffic control entities.

    First reported: 02.04.2026 00:35
    1 source, 1 article
    Show sources

  • The TrueChaos campaign has exploited CVE-2026-3502 since January 2026 against government targets in Southeast Asia.

    First reported: 02.04.2026 00:35
    1 source, 1 article
    Show sources

  • Attackers compromised a centrally managed TrueConf server to push malicious updates to all connected clients under the guise of legitimate software versions.

    First reported: 02.04.2026 00:35
    1 source, 1 article
    Show sources

  • Infection chain includes DLL sideloading, reconnaissance tools (tasklist, tracert), UAC bypass via iscicpl.exe, persistence mechanisms, and delivery of the Havoc C2 framework.

    First reported: 02.04.2026 00:35
    1 source, 1 article
    Show sources

  • Havoc is an open-source C2 framework capable of executing commands, managing processes, manipulating tokens, executing shellcode, and deploying additional payloads; previously used by the Chinese cluster Amaranth Dragon.

    First reported: 02.04.2026 00:35
    1 source, 1 article
    Show sources

  • Indicators of compromise include poweriso.exe, 7z-x64.dll, %AppData%\Roaming\Adobe\update.7z, and iscsiexe.dll.

    First reported: 02.04.2026 00:35
    1 source, 1 article
    Show sources