'By replacing a legitimate update with a malicious one, they turned the product’s update flow into a malware distribution channel': Experts find flaw in TrueConf video conferencing tool used by governments, military

News
By published

Sophisticated cyber-espionage campaign uncovered

Cybersecurity ensures data protection on internet. Data encryption, firewall, encrypted network, VPN, secure access and authentication defend against malware, hacking, cyber crime and digital threat
(Image credit: Shutterstock)
  • Sophisticated supply chain attack exploited TrueConf update process
  • Havoc framework deployed for espionage operations
  • Vulnerability patched with new TrueConf version 8.5.3

Southeast Asian governments were recently targeted by a highly sophisticated supply chain attack as part of a wider cyber-espionage campaign, which experts believe is the work of the Chinese government.

Security researchers Check Point detailed their findings on Operation TrueChaos, a campaign revolving around a zero-day vulnerability in TrueConf, a video conferencing and collaboration platform which runs either in the cloud or on a company’s own servers.

It works through a client-server model, often inside a private local network, allowing organizations to host meetings, messaging, and file sharing without relying on the public internet.

Article continues below

Wreaking Havoc

TrueConf is mostly used by governments, defense, and large enterprises that require strict data control and privacy, as its key differentiator is its on-premises, self-hosted architecture, which keeps all communications internal and secure, combined with scalable video technology that adapts streams to each user’s device and bandwidth.

However TrueConf's unique selling proposition was also its weakest point in this attack.

When users run the client, it connects to the local server and checks for updates - and if it sees a mismatch between its version, and the server’s version, it can initiate an update.

The problem stemmed from the fact that this update was done without sufficient checks, allowing threat actors to push arbitrary code via a legitimate update process.

This bug is now tracked as CVE-2026-3502 and was given a severity score of 7.8/10 (high). “If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user,” the NVD explained.

This still leaves the question of compromising the local server. In its report, Check Point does not discuss this process, so we don’t know how it happened, and what malware was used to attack this endpoint.

However, threat actors used the access to push Havoc - an open source post-exploitation framework designed for advanced red teaming and adversary simulation. It provides modular capabilities for stealthy command and control (C2) operations, and offers features like in-memory execution, encrypted communication, and different evasion techniques.

Chinese cyber-spies blamed

Flag of the People's Republic of China overlaid with a technological network of wires and circuits.

Check Point claims TTPs and C2s point to a China-nexus threat actor (Image credit: Shutterstock)

Given the type of malware being deployed in the campaign, as well as the victimology, Check Point concluded that this was an espionage campaign. With the help of Havoc, the crooks were able to perform a “series of hands-on-keyboard actors focused on reconnaissance, environment preparation, persistence, and the retrieval of additional payloads.”

A precise number of victims, as well as the industries they operate in, cannot be determined, Check Point added. This is mostly because many TrueConf instances run locally, on networks that are not connected to the wider internet. Still, the researchers said they saw a “series of targeted attacks against government entities in South Asia”, which suggests multiple incursions.

The tactics, techniques, and procedures, as well as the command-and-control infrastructure, all point to a Chinese-nexus threat actor, CPR concluded, without sharing any names.

TrueConf has since fixed the vulnerability and released a patch. All users running versions 8.5.2 and older are advised to upgrade to version 8.5.3, which was released in March 2026.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.