Government agencies, the military, and operators of critical infrastructure all use TrueConf, a popular video conferencing platform This article explores updates attacker control. . Researchers found a big problem with how the app handles software updates.

If an attacker has control of the central TrueConf server, it's easy for them to swap out real updates for fake ones. Check Point researchers are moderately sure that a Chinese-nexus threat actor is behind Operation TrueChaos based on the tactics, techniques, and cloud infrastructure used. Version 8.5.3.3 of TrueConf has fixed the problem, and you can get it for free from the TrueConf website or the Microsoft App Store.

The vulnerability is known as CVE-2026-3502, and it has been used in an operation called "Operation True Chaos." The attack happened in steps: The system loaded 7z-x64.dll using DLL side-loading, which took over the trusted poweriso.exe process. The attacker looked around the network and found processes that were running.

The attacker controlled a remote server that downloaded a second loader. People used Windows UAC bypasses to get higher privileges on systems that had been hacked. The attackers connected to a Command and Control (C2) server that was controlled by the attackers. From there, they downloaded the Havoc post-exploitation payload, which is a popular framework for getting into systems, moving around, and stealing data.

Defenders should look for the following signs that something is wrong: Update files that aren't signed in the Trueconf update folder Poweriso or 7z x64 showing up when it shouldn't.DD in the ProgramUnauthorized registry for data folders Run keys added after the update.