The Trojan Meeting: How “TrueChaos” Turns TrueConf Video Calls into State-Sponsored Spyware

Digital marauders have devised a method to transmute a corporate video conferencing architecture into an instrument of mass contagion. The assault has besieged the TrueConf platform, a cornerstone utilized by governmental echelons and global enterprises alike.

This pertains to the architectural frailty designated CVE-2026-3502. The malady resides within the update orchestration mechanism, which fails to rigorously verify the integrity of incoming packages. Consequently, an adversary may supplant a legitimate update with a malignant artifact and disseminate it to every tethered client. While the patron perceives a mundane systemic rejuvenation, they are, in reality, igniting unauthorized code.

TrueConf is frequently deployed within sequestered, air-gapped networks bereft of internet communion. The platform’s prominence ascended during the pandemic, becoming the sanctuary for tens of thousands of organizations pivoting to remote labor. Its clientele encompasses military command structures, state departments, petrochemical conglomerates, and air traffic control authorities.

Check Point specialists have, since the dawn of the year, surveilled a campaign christened TrueChaos. These kinetic strikes target governmental entities across Southeast Asia, weaponizing the vulnerability as a “zero-day” exploit. Upon securing ingress to an internal TrueConf server, the assailant exchanges the update file for a venomous surrogate, facilitating the instantaneous infection of all connected apparatuses.

Following the initial compromise, the attacking party inaugurates auxiliary components to harvest systemic telemetry and usurp administrative sovereignty. The offensive sequence has been observed hijacking native Windows utilities, circumventing User Account Control (UAC), and achieving clandestine persistence. Although the definitive payload remains elusive, network telemetry implicates the utilization of Havoc—an open-source command-and-control framework previously marshaled by the Amaranth Dragon collective in analogous maneuvers.

Circumstantial evidence links this activity to an affiliate of the Chinese state, a deduction predicated upon operational methodologies, command infrastructure, and the strategic selection of targets.

The vulnerability afflicts TrueConf iterations spanning 8.1.0 through 8.5.2. A reprieve was disseminated in March 2026 with the release of version 8.5.3. Hallmarks of compromise include the emergence of artifacts such as poweriso.exe and 7z-x64.dll, alongside the presence of suspect archives and libraries within user directories.