- Sophisticated supply chain attack exploited TrueConf update process
- Havoc framework deployed for espionage operations
- Vulnerability patched with new TrueConf version 8.5.3
Southeast Asian governments were recently targeted by a highly sophisticated supply chain attack as part of a wider cyber-espionage campaign, which experts believe is the work of the Chinese government.
Security researchers Check Point detailed their findings on Operation TrueChaos, a campaign revolving around a zero-day vulnerability in TrueConf, a video conferencing and collaboration platform which runs either in the cloud or on a company’s own servers.
It works through a client-server model, often inside a private local network, allowing organizations to host meetings, messaging, and file sharing without relying on the public internet.
Wreaking Havoc
TrueConf is mostly used by governments, defense, and large enterprises that require strict data control and privacy, as its key differentiator is its on-premises, self-hosted architecture, which keeps all communications internal and secure, combined with scalable video technology that adapts streams to each user’s device and bandwidth.
However TrueConf's unique selling proposition was also its weakest point in this attack.
When users run the client, it connects to the local server and checks for updates - and if it sees a mismatch between its version, and the server’s version, it can initiate an update.
The problem stemmed from the fact that this update was done without sufficient checks, allowing threat actors to push arbitrary code via a legitimate update process.
This bug is now tracked as CVE-2026-3502 and was given a severity score of 7.8/10 (high). “If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user,” the NVD explained.
This still leaves the question of compromising the local server. In its report, Check Point does not discuss this process, so we don’t know how it happened, and what malware was used to attack this endpoint.
However, threat actors used the access to push Havoc - an open source post-exploitation framework designed for advanced red teaming and adversary simulation. It provides modular capabilities for stealthy command and control (C2) operations, and offers features like in-memory execution, encrypted communication, and different evasion techniques.
Chinese cyber-spies blamed
Given the type of malware being deployed in the campaign, as well as the victimology, Check Point concluded that this was an espionage campaign. With the help of Havoc, the crooks were able to perform a “series of hands-on-keyboard actors focused on reconnaissance, environment preparation, persistence, and the retrieval of additional payloads.”
A precise number of victims, as well as the industries they operate in, cannot be determined, Check Point added. This is mostly because many TrueConf instances run locally, on networks that are not connected to the wider internet. Still, the researchers said they saw a “series of targeted attacks against government entities in South Asia”, which suggests multiple incursions.
The tactics, techniques, and procedures, as well as the command-and-control infrastructure, all point to a Chinese-nexus threat actor, CPR concluded, without sharing any names.
TrueConf has since fixed the vulnerability and released a patch. All users running versions 8.5.2 and older are advised to upgrade to version 8.5.3, which was released in March 2026.
Via BleepingComputer
