{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-3502/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["TrueChaos"],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-3502"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["trueconf","zero-day","cve-2026-3502","supply-chain attack"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA threat actor, possibly with Chinese nexus, is exploiting CVE-2026-3502, a zero-day vulnerability in TrueConf versions 8.1.0 through 8.5.2. This vulnerability allows attackers to replace legitimate software updates with malicious variants, leading to arbitrary code execution on connected clients. The attacks, tracked as \u0026ldquo;TrueChaos\u0026rdquo; since the beginning of 2026, have targeted government entities in Southeast Asia. TrueConf, a video conferencing platform popular among military forces, government agencies, oil and gas corporations, and air traffic management companies, saw increased adoption during the COVID-19 pandemic. The attacker exploits the lack of integrity check in the update mechanism to deliver malware disguised as a legitimate TrueConf update. A fix was released in version 8.5.3 in March 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains control of an on-premises TrueConf server.\u003c/li\u003e\n\u003cli\u003eThe attacker replaces the expected update package with a malicious executable file.\u003c/li\u003e\n\u003cli\u003eThe compromised TrueConf server distributes the malicious update to connected clients.\u003c/li\u003e\n\u003cli\u003eClients trust the server-provided update without proper validation and download the malicious file.\u003c/li\u003e\n\u003cli\u003eThe malicious file is executed under the guise of a legitimate TrueConf update, initiating DLL sideloading.\u003c/li\u003e\n\u003cli\u003eReconnaissance tools such as tasklist and tracert are deployed.\u003c/li\u003e\n\u003cli\u003ePrivilege escalation is attempted using UAC bypass via iscsicpl.exe.\u003c/li\u003e\n\u003cli\u003ePersistence is established, and network traffic indicates potential deployment of the Havoc C2 framework for further command execution and payload delivery.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-3502 allows attackers to execute arbitrary code on all TrueConf clients connected to a compromised server. This can lead to widespread malware infections, data theft, and potential compromise of sensitive systems, especially in sectors like government, military, and critical infrastructure that heavily rely on TrueConf for secure communications. The number of affected organizations is potentially high, considering that over 100,000 organizations transitioned to TrueConf during the COVID-19 pandemic.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade TrueConf servers to version 8.5.3 or later to patch CVE-2026-3502.\u003c/li\u003e\n\u003cli\u003eMonitor for the presence of \u003ccode\u003epoweriso.exe\u003c/code\u003e or \u003ccode\u003e7z-x64.dll\u003c/code\u003e on endpoints, as these are strong indicators of compromise.\u003c/li\u003e\n\u003cli\u003eInvestigate systems with suspicious artifacts like \u003ccode\u003e%AppData%\\Roaming\\Adobe\\update.7z\u003c/code\u003e or \u003ccode\u003eiscsiexe.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious TrueConf Update Execution\u0026rdquo; to detect malicious updates executing from the TrueConf directory.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to known Havoc C2 infrastructure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T12:00:00Z","date_published":"2026-04-02T12:00:00Z","id":"/briefs/2026-04-trueconf-zero-day/","summary":"Hackers exploited a zero-day vulnerability (CVE-2026-3502) in TrueConf conference servers to execute arbitrary files on connected endpoints, potentially deploying the Havoc C2 framework.","title":"TrueConf Zero-Day Exploitation Leading to Arbitrary Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-trueconf-zero-day/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-3502","version":"https://jsonfeed.org/version/1.1"}