'TrueChaos' Zero-Day Campaign Targets Southeast Asian Governments

A zero-day vulnerability in the TrueConf video conferencing client, designated CVE-2026-3502 with a CVSS score of 7.8, has been actively exploited in a targeted campaign dubbed "TrueChaos" against government entities in Southeast Asia. Read background details.

Security researchers at Check Point Research discovered that the flaw allows an attacker controlling an on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints by abusing the application's updater validation mechanism. The campaign deploys the Havoc post-exploitation framework as the final payload, according to the researchers.

"Based on the observed tactics, techniques, procedures (TTPs), command-and-control infrastructure, and victimology, we assess with moderate confidence that this activity is associated with a Chinese-nexus threat actor," said Check Point Research in their advisory. See what this means for users.

Attack Chain Summary

• Vulnerability: CVE-2026-3502 – abuse of TrueConf's updater validation.
• Target: Government bodies in Southeast Asia.
• Payload: Havoc malware for remote access and espionage.
• Attribution: Moderate confidence linking to Chinese-nexus actors.

Background: TrueConf's Role and the Flaw

TrueConf is a video conferencing platform used by over 100,000 organizations globally, with significant adoption in Russia, East Asia, Europe, and the Americas. Its on-premises deployment model creates a trusted relationship between the central server and connected clients, especially through the update mechanism.

In enterprise environments – particularly government, defense, and critical infrastructure – TrueConf is chosen for its ability to operate entirely within a private local area network (LAN) without internet connectivity, ensuring data privacy and communication autonomy. However, this trusted architecture becomes a liability when an on-premises server is compromised.

Note: The vulnerability was responsibly disclosed to TrueConf. A fix is included in TrueConf Windows client version 8.5.3, released in March 2026. Current desktop apps remain at version 8.5.2 as of the advisory.

What This Means

Organizations using on-premises TrueConf deployments must immediately upgrade to version 8.5.3 to mitigate the risk. The attack underscores how trusted update mechanisms in enterprise software can become vectors for supply-chain compromise, especially when servers are controlled by adversaries.

"This campaign highlights the growing trend of threat actors exploiting legitimate software update processes to evade detection and gain persistent access," Check Point Research added. "Government and critical infrastructure sectors using self-hosted communication platforms should reassess their security posture and verify all server-side controls."

With moderate confidence linking the operation to Chinese-nexus actors, the TrueChaos campaign aligns with geopolitical targeting patterns in Southeast Asia. Continued monitoring and patch management are essential to prevent similar attacks.