- A sophisticated supply chain attack used the TrueConf update process
- The Havoc framework is deployed for intelligence operations
- The vulnerability is patched with the new version of TrueConf 8.5.3
Governments in Southeast Asia have recently been targeted in high-profile attacks as part of a wider cyber espionage campaign, which experts believe is the work of the Chinese government.
Security researchers Check Point detailed their findings in Operation TrueChaos, a campaign surrounding a zero-day vulnerability in TrueConf, a video conferencing and collaboration platform that runs in the cloud or on a company’s own servers.
It operates on a client-server model, usually within a private local area network, which allows organizations to hold meetings, text messages, and share files without relying on the public Internet.
The article continues below
Wrecking Havoc
TrueConf is widely used by governments, defense, and large enterprises that require strict data control and privacy, as the main distinguishing feature is its internal, self-hosted structure, which keeps all communications internal and secure, combined with scalable video technology that adapts streaming to each user’s device and bandwidth.
However, TrueConf’s unique selling proposition was also its weak point in this attack.
When users use the client, it connects to the local server and checks for updates – and if it detects a mismatch between its version, and the server’s version, it can initiate an update.
The problem stems from the fact that this update was made without adequate testing, allowing malicious actors to push inappropriate code through the official review process.
This bug is now tracked as CVE-2026-3502 and was given a severity score of 7.8/10 (high). “If a payload is created or installed by a reviewer, this may result in improper code execution in the context of the review process or the user,” NVD explained.
This still leaves the question of compromising the local server. In its report, Check Point does not discuss this process, so we do not know how it happened, and which malware was used to attack this endpoint.
However, threat actors used access to push Havoc – an open source post-exploit framework designed for advanced red team interaction and adversary simulation. It provides modular capabilities for covert command and control (C2) operations, and offers features such as memory manipulation, encrypted communications, and unique evasion methods.
Chinese cyber spies are blamed
Given the nature of the malware distributed in the campaign, as well as the victim science, Check Point concluded that this was an espionage campaign. With Havoc’s help, crooks are able to perform “a series of hands-on-keyboard actions that focus on retesting, environmental repair, persistence, and recovering additional payloads.”
The exact number of victims, as well as the industries they work in, cannot be determined, Check Point added. This is because most TrueConf instances run locally, on networks that are not connected to the wide Internet. However, researchers say they have seen “a series of attacks targeting government agencies in South Asia”, suggesting more attacks.
The tactics, strategies, and procedures, as well as the regulatory and regulatory infrastructure, all point to the threatening character of the Chinese-nexus, the CPR concluded, without sharing names.
TrueConf has since fixed the vulnerability and released a patch. All users using versions 8.5.2 and above are advised to upgrade to version 8.5.3, which was released in March 2026.
With The BleepingComputer
The best antivirus for all budgets
Follow TechRadar for Google news again add us as a favorite resource to get our expert news, reviews, and opinions in your feed. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok to get news, reviews, unboxings in video form, and get regular updates from us WhatsApp again.
