- Sophisticated supply chain attack exploited TrueConf update process
- Havoc framework implemented for espionage operations
- Vulnerability patched with new version 8.5.3 of TrueConf
Governments in Southeast Asia were recently the target of a highly sophisticated supply chain attack as part of a broader cyber espionage campaign, which experts believe is the work of the Chinese government.
Security researchers Check Point detailed their findings about Operation TrueChaos, a campaign that revolves around a zero-day vulnerability in TrueConf, a video conferencing and collaboration platform that runs in the cloud or on a company’s servers.
It works through a client-server model, often within a private local network, allowing organizations to host meetings, send messages, and share files without relying on the public Internet.
Article continues below.
Wreaking havoc
TrueConf is primarily used by governments, defense, and large enterprises that require strict data and privacy control, as its key differentiator is its self-hosted on-premises architecture, which keeps all communications internal and secure, combined with scalable video technology that tailors streams to each user’s device and bandwidth.
However, TrueConf’s unique selling proposition was also its weakest point in this attack.
When users run the client, it connects to the local server and checks for updates; and if you see a discrepancy between your version and the server version, you can initiate an update.
The issue arose from the fact that this update was performed without sufficient checks, allowing threat actors to submit arbitrary code through a legitimate update process.
This bug is now tracked as CVE-2026-3502 and has been assigned a severity score of 7.8/10 (High). “If the updater executes or installs the payload, this may result in the execution of arbitrary code in the context of the update process or the user,” the NVD explained.
This still leaves the issue of compromising the local server. In its report, Check Point does not discuss this process, so we do not know how it happened or what malware was used to attack this endpoint.
However, threat actors used the access to push Havoc, an open source post-exploitation framework designed for advanced red teaming and adversary simulation. It provides modular capabilities for stealthy command and control (C2) operations and offers features such as in-memory execution, encrypted communication, and different evasion techniques.
Chinese cyber spies blamed
Given the type of malware that was deployed in the campaign, as well as the victimology, Check Point concluded that this was an espionage campaign. With the help of Havoc, the criminals were able to perform a “series of hands-on keyboard action focused on recognition, environment preparation, persistence, and retrieval of additional payloads.”
A precise number of victims cannot be determined, as well as the industries in which they operate, Check Point added. This is primarily because many TrueConf instances run locally, on networks that are not connected to the Internet. Still, researchers said they saw a “series of attacks targeting government entities in South Asia,” suggesting multiple incursions.
Tactics, techniques and procedures, as well as command and control infrastructure, point to a Chinese nexus threat actor, CPR concluded, without sharing any names.
TrueConf has since fixed the vulnerability and released a patch. All users running versions 8.5.2 and earlier are recommended to upgrade to version 8.5.3, which was released in March 2026.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
