Introduction
In early 2026, Check Point Research uncovered a series of sophisticated attacks aimed at government agencies in Southeast Asia. The attackers leveraged a legitimate video conferencing tool, TrueConf, which was already deployed within the targeted environments. This investigation led to the discovery of a critical zero-day vulnerability, designated CVE-2026-3502 with a CVSS score of 7.8. The flaw lies in TrueConf's update validation mechanism, allowing an attacker who controls an on-premises TrueConf server to push and execute arbitrary files on all connected clients. The threat actor exploited this vulnerability in a campaign dubbed "TrueChaos", deploying the Havoc payload to compromise systems.
The Vulnerability: Abuse of Trust
TrueConf is a video conferencing platform widely used by governments, defense departments, and critical infrastructure organizations, especially in Russia, East Asia, Europe, and the Americas. With over 100,000 customer organizations, its on-premises deployment creates a trusted relationship between the central server and client endpoints, particularly through the update mechanism. The vulnerability at the heart of TrueChaos exploits this trust.
The flaw specifically abuses how the TrueConf client validates updates from its on-premises server. Normally, the client only accepts signed updates. However, due to improper validation, an attacker in control of the server can bypass these checks and deliver malicious files as part of a fake update. Because the client trusts the server implicitly, it executes the payload without question, allowing the attacker to compromise every connected machine in the environment.
The Attack Chain: From Server to Endpoint
The TrueChaos campaign began with the threat actor gaining control of an on-premises TrueConf server—likely through stolen credentials, network intrusion, or supply chain compromise. Once inside, the attacker exploited CVE-2026-3502 to distribute the Havoc payload as a malicious update. Havoc is a post-exploitation framework similar to Cobalt Strike, providing remote access, data exfiltration, and lateral movement capabilities.
The attack unfolded in several stages:
- Initial Access: Compromise of the TrueConf server, possibly via spear-phishing or exploitation of other vulnerabilities.
- Payload Delivery: Using the flawed update mechanism, the attacker pushed a custom update package containing Havoc to all TrueConf clients in the network.
- Execution: Client machines automatically downloaded and executed the update, granting the attacker a foothold on each endpoint.
- Data Collection: Havoc enabled the attacker to steal sensitive documents, monitor communications, and maintain persistence within the government networks.
The use of a legitimate application like TrueConf made the attack particularly stealthy, as the malicious traffic blended with normal video conferencing data and updates.
Victimology and Attribution
The primary victims were government entities in Southeast Asia, though details on specific countries were not disclosed to avoid compromising ongoing investigations. Based on the observed tactics, techniques, and procedures (TTPs), command-and-control infrastructure, and victim profiles, Check Point Research assessed with moderate confidence that the threat actor behind TrueChaos is a Chinese-nexus group. This attribution aligns with patterns of Chinese cyber espionage targeting Southeast Asian governments, often focusing on political, economic, and military intelligence.
The choice of TrueConf—a platform popular in Russia and parts of Asia—suggests the attacker may have had prior knowledge or targeting advantages. The Havoc framework itself is an open-source tool used by various threat actors, but the specific modification and delivery method point to a sophisticated, well-resourced adversary.
Mitigation and Response
Upon discovering the vulnerability, Check Point Research responsibly disclosed CVE-2026-3502 to TrueConf. The vendor quickly developed a fix and released it in TrueConf Windows client version 8.5.3 in March 2026. All organizations using prior versions—particularly those in government, military, or critical infrastructure sectors—should update immediately.
Beyond patching, organizations running TrueConf on-premises should:
- Review server access controls and ensure only authorized personnel can modify updates.
- Monitor for unusual update activities or unexpected payloads from the TrueConf server.
- Segment networks to limit the spread of a server compromise to endpoints.
- Implement endpoint detection and response (EDR) solutions to detect Havoc-like post-exploitation behavior.
Conclusion
Operation TrueChaos highlights the dangers of trusted internal systems being turned against their owners. By exploiting a zero-day in a widely used video conferencing platform, a Chinese-nexus threat actor successfully breached Southeast Asian government networks. The attack serves as a reminder that even legitimate software update mechanisms can become vectors for compromise. Timely patching and robust network segmentation are critical to defending against such sophisticated threats.