Check Point Research Unmasks TrueChaos Campaign Exploiting TrueConf Zero-Day Against Southeast Asian Governments
Check Point Research has exposed TrueChaos, a campaign exploiting a zero-day vulnerability (CVE-2026-3502) in TrueConf's on-premises update process to push malicious updates and Havoc payloads to Southeast Asian government networks.
Check Point Research has unmasked a sophisticated cyber espionage campaign dubbed TrueChaos, which exploits a zero-day vulnerability in TrueConf's on-premises update mechanism to deliver malicious updates to government networks in Southeast Asia. The campaign, detailed in the latest Check Point threat intelligence report, leverages CVE-2026-3502, a flaw in the update process of TrueConf, a popular video conferencing platform used by government agencies. Attackers compromise trusted update servers to push Havoc post-exploitation frameworks onto targeted systems, enabling persistent access and data exfiltration.
The vulnerability allows attackers to hijack the software update process, replacing legitimate updates with malicious payloads that are signed and delivered through the same trusted channels. This technique, known as a supply-chain attack on the update mechanism, bypasses traditional security controls because the updates appear authentic. Check Point assesses with moderate confidence that the activity is affiliated with a Chinese nexus, given the targeting patterns and infrastructure used.
The TrueChaos campaign specifically targets Southeast Asian government networks, suggesting a strategic intelligence-gathering objective. By compromising the update pipeline, attackers can maintain long-term access to sensitive systems without raising immediate suspicion. The use of Havoc, a post-exploitation framework similar to Cobalt Strike, indicates a high level of sophistication and a focus on stealthy, persistent operations.
Check Point's discovery highlights a growing trend of attackers targeting software update mechanisms as a vector for initial access and persistence. Similar tactics have been observed in campaigns against SolarWinds, 3CX, and other software supply chains. The TrueConf vulnerability underscores the risks inherent in trusting third-party update infrastructure, especially for on-premises deployments in sensitive environments.
Organizations using TrueConf on-premises are urged to immediately apply any available patches and to verify the integrity of update servers. Network segmentation and monitoring for anomalous update traffic can help detect similar attacks. Check Point has published indicators of compromise and detection rules to assist defenders in identifying TrueChaos activity.
The TrueChaos campaign is part of a broader wave of supply-chain attacks documented in Check Point's weekly threat intelligence bulletin, which also covers the Axios npm package compromise and the Trivy supply-chain attack affecting the European Commission. These incidents collectively demonstrate that attackers are increasingly targeting the software supply chain as a reliable method to breach high-value targets.
As geopolitical tensions drive state-sponsored cyber operations, the TrueChaos campaign serves as a reminder that even trusted software update mechanisms can be weaponized. Organizations must adopt a zero-trust approach to software updates, verifying the integrity of every update through cryptographic signatures and behavioral analysis, rather than relying solely on the reputation of the update source.