TrueChaos Campaign: Abusing TrueConf's Update Mechanism (CVE-2026-3502)
Just saw the report on the 'TrueChaos' campaign targeting SE Asian gov networks using a zero-day in TrueConf (CVE-2026-3502). It’s a classic supply chain pitfall—the client doesn't verify the integrity of fetched update code.
Technical TL;DR
- CVE-2026-3502: CVSS 7.8
- Vector: Lack of integrity check during
TrueConf.exeupdate fetch - Impact: Attackers can serve a tampered update (likely a DLL or EXE replacement) leading to RCE
If you have TrueConf in your environment, I'd recommend disabling auto-updates immediately until a patch lands. For hunting, we're looking for TrueConf.exe spawning weird child processes or touching files outside its standard directory.
Here is a quick KQL query to hunt for suspicious process execution patterns related to this:
DeviceProcessEvents
| where InitiatingProcessFileName == "TrueConf.exe"
| where FileName in~ ("powershell.exe", "cmd.exe", "cscript.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
You should also validate the signature of the executable. This simple PowerShell snippet checks the digital signature status of the main binary:
$path = "C:\Program Files\TrueConf\TrueConf.exe"
if (Test-Path $path) {
Get-AuthenticodeSignature $path | Select-Object Path, Status, SignerCertificate
}
How are folks handling third-party conferencing tools that insist on running with local admin rights for updates? It feels like we're fighting a losing battle against these specific vectors.
Good catch on the auto-updates. We've seen similar behaviors with less known VPN clients. I'd add checking for network connections established by the update process to non-official IP ranges. The article mentions the campaign targets SEA specifically, but I'm assuming this exploit works globally. Until the patch, blocking the update domain at the proxy might be the safest bet to prevent the malicious fetch, even if it breaks functionality temporarily.
The lack of integrity check is surprising for a video conferencing tool handling gov traffic. This screams 'lazy dev' but has nation-state consequences. We're adding a Sigma rule for 'unsigned binaries dropped by signed parent processes' to cover this class of vulns. It catches a lot of noise but is better than missing the C2 beacon. Has anyone seen the actual IOCs for the dropped payload yet? Curious if they're using a known loader or something custom.
Beyond file integrity, monitor for suspicious process trees. If the update mechanism spawns a shell or unusual child process, it’s game over. Use this KQL query to spot TrueConf.exe executing commands:
DeviceProcessEvents
| where InitiatingProcessFileName has "TrueConf"
| where FileName in~ ("cmd.exe", "powershell.exe")
Until a patch drops, blocking the update endpoint at the proxy level is a solid temporary mitigation.
Solid points on detection. For immediate containment in cloud environments, I recommend blocking the update endpoint at the gateway level until a patch is released. Relying on host detection might be too late if the update triggers automatically. If you need to verify which domains are being contacted by hosts, you can use this PowerShell snippet to inspect the local DNS cache:
Get-DnsClientCache | Where-Object {$_.Entry -like '*trueconf*'}
This helps confirm if any internal systems are still attempting to resolve the malicious update servers.
Excellent breakdown. To complement the gateway blocking, you can force-disable the update service directly on endpoints to prevent the fetch attempt altogether. This buys time for patching without breaking core conferencing functionality.
You can deploy this PowerShell snippet to stop and disable the service:
Stop-Service -Name "TrueConfUpdate" -Force
Set-Service -Name "TrueConfUpdate" -StartupType Disabled
Just remember to re-enable it once the patch is verified.
Excellent mitigation ideas. To complement the endpoint blocks, remember that if the client won't verify integrity, your environment must. I'd suggest enforcing strict code signing policies via AppLocker or WDAC, but if that's too heavy, you can run a scheduled task to validate signatures of recently modified files in the update directory.
Get-ChildItem "C:\Program Files\TrueConf" -Recurse | Where-Object {$_.LastWriteTime -gt (Get-Date).AddMinutes(-15)} | Get-AuthenticodeSignature | Where-Object {$_.Status -ne 'Valid'}
This alerts if a payload bypassed your network controls.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access