- Sophisticated supply chain attack exploited TrueConf update process
- Havoc framework deployed for espionage operations
- Vulnerability fixed with the new version TrueConf 8.5.3
Southeast Asian governments have recently been the target of a highly sophisticated supply chain attack as part of a broader cyberespionage campaign, which experts believe is the work of the Chinese government.
Security researchers Check Point have detailed their findings on Operation TrueChaos, a campaign revolving around a zero-day vulnerability in TrueConf, a video conferencing and collaboration platform that runs either in the cloud or on a company’s own servers.
It operates via a client-server model, often within a private local area network, allowing organizations to host meetings, messages and file sharing without relying on the public Internet.
Article continues below
Wreak havoc
TrueConf is primarily used by governments, defense and large enterprises that require tight data control and privacy, as its key differentiator is its self-hosted on-premises architecture, which keeps all communications internal and secure, combined with scalable video technology that adapts streams to each user’s device and bandwidth.
However, TrueConf’s unique selling proposition was also the weakest point of this attack.
When users run the client, it connects to the local server and checks for updates. If he notices an incompatibility between his version and that of the server, he can launch an update.
The problem was that this update was done without sufficient checks, allowing malicious actors to introduce arbitrary code through a legitimate update process.
This bug is now tracked as CVE-2026-3502 and received a severity score of 7.8/10 (high). “If the payload is executed or installed by the updater, this may result in the execution of arbitrary code in the context of the update process or the user,” the NVD explained.
There remains the question of the compromise of the local server. In its report, Check Point does not discuss this process, so we do not know how this happened or what malware was used to attack this endpoint.
However, threat actors used this access to push Havoc, an open source post-exploitation framework designed for advanced red teaming and adversary simulation. It provides modular capabilities for command and control (C2) stealth operations and offers features such as in-memory execution, encrypted communication and different evasion techniques.
Chinese cyberspies accused
Considering the type of malware deployed in the campaign, as well as the victimology, Check Point concluded that it was an espionage campaign. With Havoc’s help, the crooks were able to execute a “series of practical keyboard actors focused on reconnaissance, environment preparation, persistence, and harvesting additional payloads.”
A precise number of victims, as well as the sectors in which they operate, cannot be determined, Check Point added. This is primarily because many TrueConf instances run locally, on networks that are not connected to the wider Internet. Nonetheless, the researchers said they observed a “series of targeted attacks on government entities in South Asia,” suggesting multiple incursions.
The tactics, techniques and procedures, as well as the command and control infrastructure, all point to a threat actor linked to China, the CPR concluded, without giving any names.
TrueConf has since fixed the vulnerability and released a patch. All users running versions 8.5.2 and earlier are advised to upgrade to version 8.5.3, released in March 2026.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
