TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Check Point Research

Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets

stcpresearch · 2026-03-31 · Read original ↗

ATT&CK techniques detected

15 predictions
T1195.002Compromise Software Supply Chain
91%
“update prompt claiming that a newer version was available. prior to the victim ’ s interaction, the attacker had already replaced the update package on the trueconf on - premises server with a weaponized version, ensuring that the client retrieved a malicious file through the nor…”
T1195.002Compromise Software Supply Chain
87%
“server } / downlods / trueconf _ client. exe, which maps to the file stored on the server under c : \ program files \ trueconf server \ clientinstfiles \. trueconf client update starts when the client detects a version mismatch in favor of the trueconf on - premises server, the c…”
T1190Exploit Public-Facing Application
84%
“with moderate confidence that operation truechaos is associated with a chinese - nexus threat actor. the assessment is based on a combination of factors, including ttps consistent with chinese - nexus operations such as dll sideloading, the use of alibaba cloud and tencent hostin…”
T1190Exploit Public-Facing Application
76%
“operation truechaos : 0 - day exploitation against southeast asian government targets key points check point research identified a zero - day vulnerability in the trueconf client application, tracked as cve - 2026 - 3502, with a cvss score of 7. 8. the flaw stems from the abuse o…”
T1548.002Bypass User Account Control
67%
“\ cmd. exe c : \ windows \ syswow64 \ iscsicpl. exe iscsicpl. exe is a legitimate windows binary that can be abused for uac bypass because its 32 - bit syswow64 version is auto - elevated and is vulnerable to dll search - order hijacking for iscsiexe. dll. by placing a malicious …”
T1574Hijack Execution Flow
66%
“update prompt claiming that a newer version was available. prior to the victim ’ s interaction, the attacker had already replaced the update package on the trueconf on - premises server with a weaponized version, ensuring that the client retrieved a malicious file through the nor…”
T1190Exploit Public-Facing Application
59%
“##26e366ac480b077067cf iscsiexe. dll – loader9b435ad985b733b64a6d5f39080f4ae0 7z - x64. dll – havoc implant248a4d7d4c48478dcbeade8f7dba80b3 43. 134. 90 [. ] 60 – havoc c243. 134. 52 [. ] 221 – havoc c247. 237. 15 [. ] 197 – havoc c2 the post operation truechaos : 0 - day exploita…”
T1548.002Bypass User Account Control
54%
“attacker performed a series of hands - on - keyboard actions focused on reconnaissance, environment preparation, persistence, and the retrieval of additional payloads. initial reconnaissance included commands such as : tasklist > cache tracert 8. 8. 8. 8 - h 5 downloaded from the…”
T1055.001Dynamic-link Library Injection
49%
“\ cmd. exe c : \ windows \ syswow64 \ iscsicpl. exe iscsicpl. exe is a legitimate windows binary that can be abused for uac bypass because its 32 - bit syswow64 version is auto - elevated and is vulnerable to dll search - order hijacking for iscsiexe. dll. by placing a malicious …”
T1105Ingress Tool Transfer
47%
“update prompt claiming that a newer version was available. prior to the victim ’ s interaction, the attacker had already replaced the update package on the trueconf on - premises server with a weaponized version, ensuring that the client retrieved a malicious file through the nor…”
T1190Exploit Public-Facing Application
44%
“and regional focus of the campaign suggest an espionage - motivated operation. in combination with the observed ttps and command - and - control infrastructure, these indicators point with moderate confidence to a chinese - nexus threat actor. about trueconf trueconf is a video c…”
T1055.001Dynamic-link Library Injection
40%
“exe, iscsiexe. dll, or rom. dat are present, or if there is evidence that they were recently created and then deleted. hunt for file creation activity in which trueconf _ windows _ update. tmp creates c : \ programdata \ poweriso \ poweriso. exe or 7z - x64. dll, as this behavior…”
T1574Hijack Execution Flow
39%
“\ cmd. exe c : \ windows \ syswow64 \ iscsicpl. exe iscsicpl. exe is a legitimate windows binary that can be abused for uac bypass because its 32 - bit syswow64 version is auto - elevated and is vulnerable to dll search - order hijacking for iscsiexe. dll. by placing a malicious …”
T1547.001Registry Run Keys / Startup Folder
37%
“threats. what initially appeared to be a signed binary used for dll sideloading ultimately led to the discovery of a zero - day vulnerability in trueconf ’ s update validation mechanism. hunting recommendations in order to identify whether you have been compromised, review the fo…”
T1505.004IIS Components
32%
“of rom. dat remained unclear. the iscsiexe. dll component appears to be a simple, custom persistence and privilege escalation tool. rather than serving as a full - featured backdoor, its role was limited to maintaining execution of winexec. exe, which is the renamed poweriso. exe…”

Summary

Key Points Introduction At the beginning of 2026, Check Point Research observed a series of targeted attacks against government entities in Southeast Asia carried out via a legitimate TrueConf software installed in the targets’ environment. The investigation led to the discovery of a zero-day vulnerability in the TrueConf client, tracked as CVE-2026-3502 with a CVSS score of 7.8. […]

The post Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets appeared first on Check Point Research.