Operation TrueChaos: Zero-Day in TrueConf Client Exploited Against Southeast Asian Governments
Check Point Research discovered CVE-2026-3502, a zero-day vulnerability in the TrueConf video conferencing client exploited in a campaign dubbed 'TrueChaos' targeting Southeast Asian government entities with the Havoc payload.
Check Point Research has uncovered a targeted espionage campaign, dubbed Operation TrueChaos, exploiting a zero-day vulnerability in the TrueConf video conferencing client against government entities in Southeast Asia. The flaw, tracked as CVE-2026-3502 with a CVSS score of 7.8, resides in the application's updater validation mechanism and allows an attacker controlling an on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints.
TrueConf is a video conferencing platform supporting both on-premises and cloud deployments, used by over 100,000 organizations globally, including governments, defense departments, critical infrastructure industries, banks, and TV stations. In enterprise environments, its on-premises architecture creates a trusted relationship between the central server and connected clients, particularly through the platform's update mechanism. The platform operates entirely within a private local network (LAN) without requiring internet connectivity, making it a preferred choice for secure or remote environments where data privacy and communication autonomy are paramount.
The vulnerability stems from a lack of integrity and authenticity checks in the update flow. When the TrueConf client starts, it checks the connected on-premises server for available updates. If the server has a newer client version, the application prompts the user to download the update from a URL mapping to a file stored on the server. An attacker who gains control of the on-premises TrueConf server can replace the expected update package with an arbitrary executable, presented as the current application version, and distribute it to all connected clients. Because the client trusts the server-provided update without proper validation, the malicious file can be delivered and executed under the guise of a legitimate TrueConf update.
In the observed in-the-wild activity, the threat actor abused the trusted update channel of a centrally managed on-premises TrueConf server to distribute malicious updates to multiple connected government agencies in a Southeast Asian country. The infections began when the TrueConf client application launched, likely via a link sent to the target from the attacker, which presented an update prompt claiming a newer version was available. The attacker deployed the Havoc payload, a post-exploitation framework, to vulnerable machines. Based on observed tactics, techniques, and procedures (TTPs), command-and-control infrastructure, and victimology, Check Point Research assesses with moderate confidence that this activity is associated with a Chinese-nexus threat actor.
The victimology and regional focus of the campaign suggest an espionage-motivated operation. TrueConf is most widely used in Russia but also has a notable presence across parts of East Asia, Europe, and the Americas. Check Point Research reviewed internet-exposed TrueConf servers to assess the platform's geographic distribution and the potential reach of the attack, noting that many deployments may operate entirely in on-premises environments and remain inaccessible from the public internet.
Check Point Research responsibly disclosed the vulnerability to TrueConf. Following notification, the vendor developed a fix included in the TrueConf Windows client starting with version 8.5.3, released in March 2026. The current version of the desktop apps is 8.5.2. Organizations using TrueConf in on-premises deployments should immediately update to version 8.5.3 and review their server access controls to mitigate the risk of server compromise.
This discovery highlights the risks inherent in trusted update mechanisms within enterprise software, particularly in platforms designed for secure, offline environments. The abuse of a legitimate update channel to deliver malware represents a sophisticated supply-chain attack vector that bypasses traditional endpoint defenses. As video conferencing platforms continue to be integral to government and critical infrastructure operations, securing their update processes against compromise becomes a critical priority.