RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: trueconf (2 articles)Clear
threat
2026-04-27

Pro-Ukrainian hackers chain three TrueConf bugs to deploy web shells and create rogue admin accounts in Russian networks (CVE chain patched August 2025)

Russian security firm Positive Technologies attributed an ongoing intrusion campaign to PhantomCore, a pro-Ukrainian group also tracked as Head Mare, Rainbow Hyena, and UNG0901. The group is chaining three TrueConf video-conferencing vulnerabilities (patched by the vendor August 27, 2025) to bypass authentication and run commands on TrueConf servers in Russian organizations. After break-in, they drop a PHP web shell, create a rogue user named 'TrueConf2' with admin rights on the conferencing server, and pivot into the wider network using tools including Velociraptor, Memprocfs, DumpIt, and custom backdoors MacTunnelRAT and PhantomSscp. First attacks observed mid-September 2025.

phantomcorehead-mareung0901pro-ukrainiantrueconfrussiaweb-shellrogue-adminpositive-technologies
Check
Check every TrueConf Server install in your environment is patched to August 27, 2025 or later, and audit user accounts for any named 'TrueConf2' or similar.
Affected
TrueConf Server installations unpatched since August 27, 2025 - any organization that delayed the August update is exposed. Critical infrastructure, defense, and government organizations using TrueConf for offline-capable conferencing are particularly exposed because TrueConf is heavily used in those sectors.
Fix
Update TrueConf Server to the August 27, 2025 release or later. Audit local TrueConf admin accounts for unfamiliar usernames - the rogue 'TrueConf2' account is a defining indicator. Hunt server logs for PHP web shell activity and TrueConf-server outbound connections to unfamiliar domains. PhantomCore typically pivots into the broader network within days.
vulnerability
CVE-2026-3502
2026-03-31

Chinese hackers exploited TrueConf video conferencing zero-day to backdoor Southeast Asian governments (CVE-2026-3502)

Check Point uncovered Operation TrueChaos - a Chinese-nexus espionage campaign that turned a video conferencing platform's update mechanism into a malware delivery system. The attackers compromised a central on-premises TrueConf server used by a government IT department, then swapped the legitimate client update with a weaponized package that deployed the Havoc post-exploitation framework. Every connected government agency pulled the poisoned update automatically, no individual endpoint compromise needed.

trueconfzero-daychinaespionagesupply-chainvideo-conferencingactively-exploited
Check
Check if your organization uses TrueConf for video conferencing, especially in on-premises deployments.
Affected
TrueConf Windows client versions 8.1.0 through 8.5.2. On-premises deployments are at highest risk since the attack requires control of the TrueConf server.
Fix
Update TrueConf Windows client to version 8.5.3 or later. Audit TrueConf servers for unauthorized modifications. Check endpoints for IOCs: unsigned trueconf_windows_update.exe, files named poweriso.exe or 7z-x64.dll, and connections to 43.134.90.60, 43.134.52.221, or 47.237.15.197.