{"id":3590,"date":"2026-04-02T07:35:00","date_gmt":"2026-04-02T14:35:00","guid":{"rendered":"https:\/\/www.wiki-living.com\/index.php\/2026\/04\/02\/by-replacing-legitimate-update-with-malicious-one-they-turned-product-update-flow-into-malware-distribution-channel-experts-find-flaw-in-trueconf-video-conferencing-tool-used-by-governments-milit\/"},"modified":"2026-04-03T02:17:27","modified_gmt":"2026-04-03T09:17:27","slug":"by-replacing-legitimate-update-with-malicious-one-they-turned-product-update-flow-into-malware-distribution-channel-experts-find-flaw-in-trueconf-video-conferencing-tool-used-by-governments-milit","status":"publish","type":"post","link":"https:\/\/www.wiki-living.com\/index.php\/2026\/04\/02\/by-replacing-legitimate-update-with-malicious-one-they-turned-product-update-flow-into-malware-distribution-channel-experts-find-flaw-in-trueconf-video-conferencing-tool-used-by-governments-milit\/","title":{"rendered":"&#8216;By replacing legitimate update with malicious one, they turned product update flow into malware distribution channel&#8217;: Experts find flaw in TrueConf video conferencing tool used by governments, military"},"content":{"rendered":"<p><br \/>\n<\/p>\n<div id=\"article-body\">\n<hr id=\"elk-54425299-9868-4e7b-bdf0-4b832cd766a2\"\/>\n<ul id=\"elk-37371436-2def-4ae7-9aa8-8a83bddecc16\">\n<li><strong>A sophisticated supply chain attack used the TrueConf update process<\/strong><\/li>\n<li><strong>The Havoc framework is deployed for intelligence operations<\/strong><\/li>\n<li><strong>The vulnerability is patched with the new version of TrueConf 8.5.3<\/strong><\/li>\n<\/ul>\n<hr id=\"elk-8dbe621e-e72e-43e2-b795-586a376ec8a9\"\/>\n<p id=\"elk-89c0b648-03f6-49c6-8191-1d03c5b8b6df\">Governments in Southeast Asia have recently been targeted in high-profile attacks as part of a wider cyber espionage campaign, which experts believe is the work of the Chinese government.<\/p>\n<p>Security researchers Check Point detailed their findings in Operation TrueChaos, a campaign surrounding a zero-day vulnerability in TrueConf, a video conferencing and collaboration platform that runs in the cloud or on a company&#8217;s own servers.<\/p>\n<aside data-block-type=\"embed\" data-render-type=\"fte\" data-skip=\"dealsy\" data-widget-type=\"seasonal\" class=\"hawk-root\"\/>\n<p id=\"elk-89c0b648-03f6-49c6-8191-1d03c5b8b6df-2\">It operates on a client-server model, usually within a private local area network, which allows organizations to hold meetings, text messages, and share files without relying on the public Internet.<\/p>\n<p><span class=\"article-continues-below block py-2 text-sm\">The article continues below <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" class=\"inline-block w-2.5 h-2.5 ml-2\" fill=\"currentColor\" preserveaspectratio=\"xMidYMid meet\" viewbox=\"0 0 1000 1000\"><path d=\"M1000 100L500 900 0 100h1000z\"\/><\/svg><\/span><\/p>\n<aside data-component-name=\"Recirculation:ArticleRiver\" data-recirculation-type=\"inline\" data-mrf-recirculation=\"Trending Bar\" data-nosnippet=\"\" class=\"clear-both pb-0 pt-2 mb-4\">\n        <span class=\"&#10;            flex&#10;            after:content-[''] after:flex-1 after:ml-4 after:my-[0.7rem] after:border-t after:border-solid after:border-t-[#ccc]&#10;            before:content-[''] before:flex-1 before:mr-4 before:my-[0.7rem] before:border-t before:border-solid before:border-t-[#ccc]&#10;            font-article-heading pb-0 !text-base uppercase sm:text-sm font-bold&#10;        \"><\/p>\n<p>            You might like it<br \/>\n        <\/span><\/p>\n<\/aside>\n<h2 id=\"wreaking-havoc-3\">Wrecking Havoc<\/h2>\n<p id=\"elk-5c28a411-fdb4-4a55-ac70-48e3056654bf\">TrueConf is widely used by governments, defense, and large enterprises that require strict data control and privacy, as the main distinguishing feature is its internal, self-hosted structure, which keeps all communications internal and secure, combined with scalable video technology that adapts streaming to each user&#8217;s device and bandwidth.<\/p>\n<p>However, TrueConf&#8217;s unique selling proposition was also its weak point in this attack.<\/p>\n<p>When users use the client, it connects to the local server and checks for updates &#8211; and if it detects a mismatch between its version, and the server&#8217;s version, it can initiate an update.<\/p>\n<p>The problem stems from the fact that this update was made without adequate testing, allowing malicious actors to push inappropriate code through the official review process.<\/p>\n<div id=\"slice-container-newsletterForm-articleInbodyContent-t7B9kLYqxhwXTgBhF4YUca\" class=\"slice-container newsletter-inbodyContent-slice newsletterForm-articleInbodyContent-t7B9kLYqxhwXTgBhF4YUca slice-container-newsletterForm\">\n<div data-hydrate=\"true\" class=\"newsletter-form__wrapper newsletter-form__wrapper--inbodyContent\">\n<div class=\"newsletter-form__container\">\n<section class=\"newsletter-form__top-bar\"\/>\n<section class=\"newsletter-form__main-section\">\n<p class=\"newsletter-form__strapline\">Sign up for the TechRadar Pro newsletter to get all the top news, ideas, features and guidance your business needs to succeed!<\/p>\n<\/section>\n<\/div>\n<\/div>\n<\/div>\n<p>This bug is now tracked as CVE-2026-3502 and was given a severity score of 7.8\/10 (high). &#8220;If a payload is created or installed by a reviewer, this may result in improper code execution in the context of the review process or the user,&#8221; NVD explained.<\/p>\n<p>This still leaves the question of compromising the local server. In its report, Check Point does not discuss this process, so we do not know how it happened, and which malware was used to attack this endpoint.<\/p>\n<p>However, threat actors used access to push Havoc &#8211; an open source post-exploit framework designed for advanced red team interaction and adversary simulation. It provides modular capabilities for covert command and control (C2) operations, and offers features such as memory manipulation, encrypted communications, and unique evasion methods.<\/p>\n<aside data-component-name=\"Recirculation:ArticleRiver\" data-recirculation-type=\"inline\" data-mrf-recirculation=\"Trending Bar\" data-nosnippet=\"\" class=\"clear-both pb-0 pt-2 mb-4\">\n        <span class=\"&#10;            flex&#10;            after:content-[''] after:flex-1 after:ml-4 after:my-[0.7rem] after:border-t after:border-solid after:border-t-[#ccc]&#10;            before:content-[''] before:flex-1 before:mr-4 before:my-[0.7rem] before:border-t before:border-solid before:border-t-[#ccc]&#10;            font-article-heading pb-0 !text-base uppercase sm:text-sm font-bold&#10;        \"><\/p>\n<p>            What you can read next<br \/>\n        <\/span><\/p>\n<\/aside>\n<h2 id=\"chinese-cyber-spies-blamed-3\">Chinese cyber spies are blamed<\/h2>\n<figure class=\"van-image-figure inline-layout\" data-bordeaux-image-check=\"\" id=\"elk-282dbd48-9f85-40e8-be20-8417ea582e05\">\n<div class=\"image-full-width-wrapper\">\n<div class=\"image-widthsetter\" style=\"max-width:970px;\">\n<p class=\"vanilla-image-block\" style=\"padding-top:56.19%;\"> <picture data-new-v2-image=\"true\"><source type=\"image\/webp\" srcset=\"https:\/\/cdn.mos.cms.futurecdn.net\/ef8zeecGrS3texgTdoSkYe-970-80.jpg.webp 1200w, https:\/\/cdn.mos.cms.futurecdn.net\/ef8zeecGrS3texgTdoSkYe-970-80.jpg.webp 1024w, https:\/\/cdn.mos.cms.futurecdn.net\/ef8zeecGrS3texgTdoSkYe-970-80.jpg.webp 970w, https:\/\/cdn.mos.cms.futurecdn.net\/ef8zeecGrS3texgTdoSkYe-650-80.jpg.webp 650w, https:\/\/cdn.mos.cms.futurecdn.net\/ef8zeecGrS3texgTdoSkYe-480-80.jpg.webp 480w, https:\/\/cdn.mos.cms.futurecdn.net\/ef8zeecGrS3texgTdoSkYe-320-80.jpg.webp 320w\" sizes=\"(min-width: 1000px) 970px, calc(100vw - 40px)\"><\/source><\/picture><\/p>\n<\/div>\n<\/div><figcaption itemprop=\"caption description\" class=\" inline-layout\"><span class=\"caption-text\">Check Points claims TTP and C2 point to China-nexus threat actor <\/span><span class=\"credit\" itemprop=\"copyrightHolder\">(Image credit: Shutterstock)<\/span><\/figcaption><\/figure>\n<p id=\"elk-ec1f5204-9f39-4724-9f63-2b20d613414b\">Given the nature of the malware distributed in the campaign, as well as the victim science, Check Point concluded that this was an espionage campaign. With Havoc&#8217;s help, crooks are able to perform &#8220;a series of hands-on-keyboard actions that focus on retesting, environmental repair, persistence, and recovering additional payloads.&#8221;<\/p>\n<p>The exact number of victims, as well as the industries they work in, cannot be determined, Check Point added. This is because most TrueConf instances run locally, on networks that are not connected to the wide Internet. However, researchers say they have seen &#8220;a series of attacks targeting government agencies in South Asia&#8221;, suggesting more attacks.<\/p>\n<p>The tactics, strategies, and procedures, as well as the regulatory and regulatory infrastructure, all point to the threatening character of the Chinese-nexus, the CPR concluded, without sharing names.<\/p>\n<p>TrueConf has since fixed the vulnerability and released a patch. All users using versions 8.5.2 and above are advised to upgrade to version 8.5.3, which was released in March 2026.<\/p>\n<p><em>With <\/em><em>The BleepingComputer<\/em><\/p>\n<hr id=\"elk-29e03ae4-e5a9-4034-bada-b28b84b48186\"\/>\n<div id=\"slice-container-person-t7B9kLYqxhwXTgBhF4YUca-Xa84cLI5ca98vIUeLeggGVpxPhISCd8F\" class=\"slice-container person-wrapper person-t7B9kLYqxhwXTgBhF4YUca-Xa84cLI5ca98vIUeLeggGVpxPhISCd8F slice-container-person\">\n<div class=\"person person--separator\">\n<div class=\"person__avatar-block\">\n<figure class=\"image-wrapped__wrapper\" data-bordeaux-image-check=\"false\">\n<div class=\"image-wrapped__widthsetter\" style=\"max-width:none\">\n<div class=\"image-wrapped__aspect-padding\" style=\"padding-bottom:56.25%\">\n<div style=\"display:contents\"><picture data-hydrate=\"false\"><source class=\"person__avatar image-wrapped__image image__image\" type=\"image\/webp\" srcset=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j-140-80.png.webp 140w\" sizes=\"99vw\" data-normal=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-original-mos=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-pin-media=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-pin-nopin=\"true\" data-slice-image=\"true\"><source class=\"person__avatar image-wrapped__image image__image\" type=\"image\/png\" srcset=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j-140-80.png 140w\" sizes=\"99vw\" data-normal=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-original-mos=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-pin-media=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-pin-nopin=\"true\" data-slice-image=\"true\"><img decoding=\"async\" alt=\"Best antivirus software article\" srcset=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j-140-80.png 140w\" sizes=\"99vw\" class=\"person__avatar image-wrapped__image image__image\" loading=\"lazy\" data-normal=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" src=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-pin-media=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-pin-nopin=\"true\" data-slice-image=\"true\"\/><\/source><\/source><\/picture><\/div>\n<\/div>\n<\/div>\n<\/figure>\n<\/div>\n<div class=\"person__heading\">\n<p><span class=\"person__name\">The best antivirus for all budgets<\/span><\/p>\n<aside class=\"person__role\">Our top picks, based on real-world testing and comparison<\/aside>\n<\/div>\n<\/div>\n<\/div>\n<hr id=\"elk-27490ee1-7283-43f4-9bfa-2e4fb1e23304\"\/>\n<p id=\"elk-0183118c-7370-4319-8e3f-ae0dedba742c\"><em><strong>Follow TechRadar for Google news<\/strong><\/em>    again<em> <\/em><em><strong>add us as a favorite resource<\/strong><\/em><em>    to get our expert news, reviews, and opinions in your feed. Be sure to click the Follow button!<\/em><\/p>\n<p><em>And of course you can too <\/em><em><strong>follow TechRadar on TikTok<\/strong><\/em><em>    to get news, reviews, unboxings in video form, and get regular updates from us <\/em><em><strong>WhatsApp<\/strong><\/em><em>    again.<\/em><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>A sophisticated supply chain attack used the TrueConf update process The Havoc framework is deployed for intelligence operations The vulnerability is patched with the new version of TrueConf 8.5.3 Governments in Southeast Asia have recently been targeted in high-profile attacks as part of a wider cyber espionage campaign, which experts believe is the work of [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3591,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[],"class_list":{"0":"post-3590","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-smart-home-gadgets"},"_links":{"self":[{"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/posts\/3590","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/comments?post=3590"}],"version-history":[{"count":1,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/posts\/3590\/revisions"}],"predecessor-version":[{"id":3592,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/posts\/3590\/revisions\/3592"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/media\/3591"}],"wp:attachment":[{"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/media?parent=3590"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/categories?post=3590"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/tags?post=3590"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}