- Sophisticated supply chain attack exploited the TrueConf update process
- Frames deployed for espionage operations
- Vulnerability fixed with new TrueConf version 8.5.3
Southeast Asian governments were recently hit by a highly sophisticated supply chain attack as part of a wider cyberespionage campaign that experts believe is the work of the Chinese government.
Security researchers Check Point detailed their findings on Operation TrueChaos, a campaign revolving around a zero-day vulnerability in TrueConf, a video conferencing and collaboration platform that runs either in the cloud or on a company’s own servers.
It works through a client-server model, often inside a private local area network, allowing organizations to host meetings, messaging and file sharing without relying on the public Internet.
The article continues below
Wreaking havoc
TrueConf is mostly used by governments, defense and large enterprises that require strict data control and privacy, as its key differentiator is its local, self-hosted architecture that keeps all communications internal and secure, combined with scalable video technology that adapts streams to each user’s device and bandwidth.
But TrueConf’s unique selling proposition was also its weakest point in this attack.
When users run the client, it connects to the local server and checks for updates—and if it sees a mismatch between its version and the server’s version, it can initiate an update.
The issue stemmed from the fact that this update was performed without sufficient checks, allowing threat actors to push arbitrary code via a legitimate update process.
This bug is now tracked as CVE-2026-3502 and received a severity score of 7.8/10 (high). “If the payload is executed or installed by the updater, this could result in arbitrary code execution related to the update process or the user,” NVD explained.
This still leaves the question of compromising the local server. In its report, Check Point does not discuss this process, so we do not know how it happened and what malware was used to attack this endpoint.
But threat actors used the access to push Havoc – an open-source post-exploitation framework designed for advanced red teaming and adversary simulation. It provides modular capabilities for stealthy command and control operations (C2) and offers features such as in-memory execution, encrypted communications, and various evasion techniques.
Chinese cyber spies are to blame
Given the type of malware deployed in the campaign, as well as the victimology, Check Point concluded that this was an espionage campaign. With the help of Havoc, the villains were able to perform a “series of hands-on-keyboard acting focused on reconnaissance, environmental preparation, persistence, and retrieval of additional payloads.”
A precise number of victims, as well as the industries they operate in, cannot be determined, Check Point added. This is mostly because many TrueConf instances run locally on networks that are not connected to the wider Internet. Still, the researchers said they saw a “series of targeted attacks against government entities in South Asia,” suggesting more intrusions.
The tactics, techniques and procedures, as well as the command-and-control infrastructure, all point to a threat actor linked to China, the CPR concluded, without sharing any names.
TrueConf has since fixed the vulnerability and released a patch. All users running version 8.5.2 and earlier are advised to upgrade to version 8.5.3, which was released in March 2026.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
