TrueChaos: The TrueConf Zero-Day That Turned Secure Updates Into a Government Espionage Backdoor

A trusted communication tool has been turned into a weapon of mass malware distribution. Check Point Research has uncovered a critical zero-day vulnerability in the TrueConf video conferencing platform, which was actively exploited in a targeted espionage campaign dubbed “TrueChaos”. The flaw, tracked as CVE-2026-3502, allowed attackers to bypass security checks and deliver malicious payloads to government entities across Southeast Asia.

TrueConf is a popular on-premises video conferencing solution used by over 100,000 organizations, including military, defense, and critical infrastructure sectors. In these environments, the software operates within private local networks (LANs) to ensure “absolute data privacy and communication autonomy”.

However, this architecture relies on an inherent trust between the central on-premises server and its connected clients—a trust that was abused through the platform’s update mechanism. As the report explains:

“The vulnerability stems from the lack of integrity and authenticity checks in this update flow. An attacker who gains control of the on-premises TrueConf server can replace the expected update package with an arbitrary executable… and distribute it to all connected clients”.

In the observed campaign, the threat actor first compromised a centrally managed TrueConf server operated by a governmental IT department. They then replaced the legitimate update file with a “weaponized client update”.

When users launched their TrueConf application, they were met with a standard-looking prompt claiming a new version was available. Because the client “trusts the server-provided update without proper validation,” the malicious file was delivered and executed under the guise of a routine patch.

Once the malicious update was installed, it didn’t just stop at updating the software. It dropped a legitimate-looking but benign executable along with a malicious DLL file (7z-x64.dll) to the system. This setup enabled DLL side-loading, allowing the attacker to perform “hands-on-keyboard actions” for reconnaissance and privilege escalation.

The ultimate goal of the operation was the deployment of a Havoc implant—an open-source post-exploitation framework. Using this tool, the attackers could maintain persistent access and retrieve additional payloads from their command-and-control (C2) infrastructure.

Based on the observed tactics, regional focus, and the use of infrastructure like Alibaba Cloud and Tencent hosting, Check Point Research assesses with moderate confidence that this activity is associated with a Chinese-nexus threat actor.

“The exploitation of CVE-2026-3502 did not require the attacker to compromise each endpoint individually,” the report concludes. By hijacking the central server, “they turned the product’s normal update flow into a malware distribution channel across multiple connected government networks”.

TrueConf has since released a fix for this vulnerability. Users are urged to update their Windows client to version 8.5.3 or later to protect their systems from this sophisticated supply chain threat.