Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets

Check Point Research discovered a zero-day vulnerability (CVE-2026-3502, CVSS 7.8) in the TrueConf video conferencing client being actively exploited in a campaign dubbed 'Operation TrueChaos.' The vulnerability stems from improper validation in TrueConf's updater mechanism, allowing attackers controlling an on-premises TrueConf server to distribute arbitrary files to connected endpoints. The campaign targeted government entities in Southeast Asia, using the trusted update channel to deploy the Havoc remote access trojan across multiple agencies. Check Point assesses with moderate confidence that this espionage-motivated operation is linked to a Chinese-nexus threat actor. TrueConf has released version 8.5.3 containing the fix. Organizations using TrueConf on-premises deployments should immediately update to the latest version and monitor for indicators of Havoc C2 activity.

Key Points Introduction At the beginning of 2026, Check Point Research observed a series of targeted attacks against government entities in Southeast Asia carried out via a legitimate TrueConf software installed in the targets’ environment. The investigation led to the discovery of a zero-day vulnerability in the TrueConf client, tracked as CVE-2026-3502 with a CVSS score of 7.8. […] The post Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets appeared first on Check Point Research .

Check Point Research discovered a zero-day vulnerability (CVE-2026-3502, CVSS 7.8) in the TrueConf video conferencing client being actively exploited in a campaign dubbed 'Operation TrueChaos.' The vulnerability stems from improper validation in TrueConf's updater mechanism, allowing attackers controlling an on-premises TrueConf server to distribute arbitrary files to connected endpoints. The campaign targeted government entities in Southeast Asia, using the trusted update channel to deploy the Havoc remote access trojan across multiple agencies. Check Point assesses with moderate confidence that this espionage-motivated operation is linked to a Chinese-nexus threat actor. TrueConf has released version 8.5.3 containing the fix. Organizations using TrueConf on-premises deployments should immediately update to the latest version and monitor for indicators of Havoc C2 activity. Key Points Introduction At the beginning of 2026, Check Point Research observed a series of targeted attacks against government entities in Southeast Asia carried out via a legitimate TrueConf software installed in the targets’ environment. The investigation led to the discovery of a zero-day vulnerability in the TrueConf client, tracked as CVE-2026-3502 with a CVSS score of 7.8. […] The post Operation TrueChaos: 0-Day Exploitation Against Southeast Asian Government Targets appeared first on Check Point Research . Key Points Check Point Research identified a zero-day vulnerability in the TrueConf client application, tracked as CVE-2026-3502 , with a CVSS score of 7.8 . The flaw stems from the abuse of TrueConf’s updater validation mechanism, allowing an attacker who controls the on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints. This vulnerability has been exploited in-the-wild as part of a targeted campaign we call “TrueChaos” against government entities in Southeast Asia, where the threat actor abused the TrueConf update mechanism to deploy the Havoc payload to vulnerable machines. Based on the observed TTPs, command and control infrastructure and victimology, we assess with moderate confidence that this activity is associated with a Chinese-nexus threat actor. Check Point Research responsibly disclosed this vulnerability to TrueConf. Following our notification, the vendor developed a fix, which is included in the TrueConf Windows client starting with version 8.5.3, which was released in March 2026 . The current version of the desktop apps is 8.5.2. Introduction At the beginning of 2026, Check Point Research observed a series of targeted attacks against government entities in Southeast Asia carried out via a legitimate TrueConf software installed in the targets’ environment. The investigation led to the discovery of a zero-day vulnerability in the TrueConf client, tracked as CVE-2026-3502 with a CVSS score of 7.8 . The flaw affects the application’s updater validation mechanism and allows an attacker controlling an on-premises TrueConf server to distribute and execute arbitrary files across connected endpoints. TrueConf is a video conferencing platform that supports both on-premises and cloud deployments and is used across multiple regions, most prominently in Russia, as well as in East Asia, Europe, and the Americas. Serving more than 100,000 organisations globally, their global customers range from key governments and defense departments and critical infrastructure industries to significant businesses such as banks, power and TV stations. In enterprise environments, its on-premises architecture creates a trusted relationship between the central server and connected clients, especially through the platform’s update mechanism. Basically, TrueConf acts as an on-premises video conferencing solution that operates entirely within a private local network (LAN) without requiring an internet connection. It is primarily used by government, military, and critical infrastructure sectors to ensure absolute data privacy and communication autonomy in secure or remote environments. In locations with poor or no internet connectivity, or during natural disasters when traditional networks are down, it facilitates essential coordination. By hosting the server on internal hardware, all audio, video, and chat traffic remains strictly contained on-site, with offline activation available for fully air-gapped systems. In this particular case, that trust was abused to deliver malware due to improper validation in the update process. In the observed in-the-wild activity, operation “TrueChaos”, the threat actor used the trusted update channel of a centrally managed on-premises TrueConf server to distribute malicious updates to multiple connected government agencies in a South Eastern country. The victimology and regional focus of the campaign suggest an espionage-motivated operation. In combination with the observed TTPs and command-and-control infrastructure, these indicators point with moderate confidence...