{ "Event": { "analysis": "1", "date": "2026-03-31", "extends_uuid": "", "info": "[Threat Intel] Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets", "protected": false, "publish_timestamp": "1775970079", "published": true, "threat_level_id": "1", "timestamp": "1775970079", "uuid": "0567b4df-f77c-4355-b991-5e968b4f46cb", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#5dfed4", "local": false, "name": "misp-galaxy:producer=\"Check Point\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#91afc2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Component Object Model Hijacking - T1546.015\"", "relationship_type": "" }, { "colour": "#b596f0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Lateral Tool Transfer - T1570\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#fdd85e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Access Token Manipulation - T1134\"", "relationship_type": "" }, { "colour": "#50bcaa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Discovery - T1518\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"035 - South-eastern Asia\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"vulnerability\"", "relationship_type": "" }, { "colour": "#150052", "local": false, "name": "rectifyq:sub-category=\"zero-day\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#fdcb58", "local": false, "name": "rectifyq:MY-relevancy=\"somewhat-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Havoc\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775012432", "to_ids": false, "type": "link", "uuid": "925ed7b4-f007-49ca-96c1-7b265c044abf", "value": "https://research.checkpoint.com/2026/operation-truechaos-0-day-exploitation-against-southeast-asian-government-targets/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775012432", "to_ids": false, "type": "text", "uuid": "886d582b-8daa-430d-b4d5-68b89a2f4f2f", "value": "A zero-day vulnerability in the TrueConf client application, CVE-2026-3502, was exploited in a targeted campaign against government entities in Southeast Asia. The flaw allows attackers controlling an on-premises TrueConf server to distribute and execute arbitrary files across connected endpoints. The campaign, dubbed 'TrueChaos', abused the trusted update channel to deliver malware to multiple government agencies. The attack likely involved a Chinese-nexus threat actor and utilized the Havoc post-exploitation framework. The vulnerability stems from inadequate validation in the update process, enabling malicious updates to be distributed through a centrally managed server. TrueConf has since released a fix in version 8.5.3 of their Windows client." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775012432", "to_ids": false, "type": "text", "uuid": "abb9adeb-2cab-4af7-837a-d6e78c82d568", "value": "Name: Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets\nAuthor: AlienVault\nAdversary: Chinese-nexus threat actor\nTags: [\"southeast asia\", \"havoc\", \"zero-day\", \"trueconf\", \"cve-2026-3502\", \"government targets\", \"dll sideloading\"]\nTgtd countries: []\nMlwr families: [\"Havoc\"]\nAttack_ids: [\"T1140\", \"T1055\", \"T1016\", \"T1546.015\", \"T1570\", \"T1059.003\", \"T1134\", \"T1518\", \"T1574.002\", \"T1105\", \"T1021.001\"]\nIndustries: [\"Government\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1775012432", "to_ids": false, "type": "threat-actor", "uuid": "0540ddbd-ed5a-49b8-85b4-50156aae5512", "value": "Chinese-nexus threat actor" }, { "category": "Payload delivery", "comment": "Malicious TrueConf client update No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775964093", "to_ids": true, "type": "md5", "uuid": "12868dee-cfa4-4501-9a80-c1fa0333ce27", "value": "22e32bcf113326e366ac480b077067cf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Havoc implant No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775964094", "to_ids": true, "type": "md5", "uuid": "e3021612-180e-4cfa-865b-2bb955921af6", "value": "248a4d7d4c48478dcbeade8f7dba80b3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775900886", "to_ids": false, "type": "vulnerability", "uuid": "04b97cd0-946c-4bb1-9817-b3485afda55e", "value": "CVE-2026-3502" }, { "category": "Network activity", "comment": "Havoc C2", "deleted": false, "disable_correlation": false, "timestamp": "1775964187", "to_ids": true, "type": "ip-dst", "uuid": "63075763-a272-4bf3-8004-8e3897e22beb", "value": "43.134.90.60", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Havoc C2", "deleted": false, "disable_correlation": false, "timestamp": "1775964208", "to_ids": true, "type": "ip-dst", "uuid": "ed53daef-94cb-4e5e-9cb7-c05617f2683f", "value": "43.134.52.221", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Havoc C2", "deleted": false, "disable_correlation": false, "timestamp": "1775964229", "to_ids": true, "type": "ip-dst", "uuid": "9a7e7d60-039b-4023-90b8-65bb8a15aad9", "value": "47.237.15.197", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775964251", "to_ids": true, "type": "url", "uuid": "35a063c4-f0d3-4774-996f-7a28df2f2aac", "value": "ftp://47.237.15.197/update.7z", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775964272", "uuid": "907d298e-2812-41d1-bf87-3affb33c5ef8", "Attribute": [ { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775964272", "to_ids": true, "type": "md5", "uuid": "b6fbd4f5-b37c-4f66-885e-939983466907", "value": "9b435ad985b733b64a6d5f39080f4ae0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964091", "to_ids": true, "type": "sha1", "uuid": "d0d3ab0d-02ae-4c29-b200-b2a96019a151", "value": "395ccc853752784bd5ad2f0ca84cf3c5d60420b8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964091", "to_ids": true, "type": "sha256", "uuid": "9edf96f4-e975-4604-aa4c-3053e2e03aba", "value": "09acbeabaee2f59b4bb38ae383cf0df8f0853121800bc701e165ca30f2d6cb18", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775962381", "to_ids": true, "type": "ssdeep", "uuid": "44b34698-7d84-45a0-a1f8-aa68f7f7af46", "value": "1536:jnCjf2nBcxmYyMSEb1AOUKNXacdJfn1rZZgsWccdlKF88Y:ifmjsbUKNXlf1rjclKF88Y" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775962381", "to_ids": false, "type": "size-in-bytes", "uuid": "6e50593d-0219-480b-867b-8fa869f8689b", "value": "72704" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775962381", "to_ids": true, "type": "vhash", "uuid": "8310708a-99fe-47b2-ad57-bc396d1e386f", "value": "174056655d15156az42?z3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775962381", "to_ids": true, "type": "filename", "uuid": "ab7df11f-ea1c-444c-85e1-49742f6d4f07", "value": "v98afr.exe" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775962381", "to_ids": false, "type": "text", "uuid": "94da9fcb-f896-4e37-aafe-13f6762c8582", "value": "Loader\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/DLLHijack.DM!MTB\nVT Total Detection:44/72\nFirst Submission:2026-04-07T11:36:44.000000+00:00\nLast Submission:2026-04-07T11:36:44.000000+00:00" } ] } ] } }