A high-severity flaw in TrueConf client video conferencing software was exploited as a zero-day in attacks on government entities in Southeast Asia, with the campaign first seen at the start of 2026 and the bug rated CVSS 7.8.
KEY FACTS
- Vulnerability CVE-2026-3502 is a lack of integrity check in application update code.
- Impact A tampered update can lead to arbitrary code execution.
- Patch TrueConf Windows client 8.5.3, released earlier this month, includes a fix.
- Campaign The activity was linked to a cluster dubbed TrueChaos.
A technical analysis from Check Point said the flaw allowed an attacker who controlled an on-premises TrueConf server to replace a legitimate update with a malicious one and push it to connected endpoints.
The report said the campaign likely used the open-source Havoc command-and-control framework. It said the attacker first used a rogue installer, then DLL side-loading to launch a backdoor.
The DLL implant observed in the attacks carried out reconnaissance, set up persistence and fetched more payloads from an FTP server at 47.237.15[.]197. Another component was used to run a benign binary that loaded the backdoor.
The disclosure said the exact final-stage malware was not fully confirmed, but it assessed with high confidence that the end goal was to deploy a Havoc implant. It also noted infrastructure and tactics associated with Chinese-nexus threat actors, including Alibaba Cloud and Tencent.
TrueConf patched the issue in Windows client version 8.5.3. The same victim was also targeted in the same period by ShadowPad, a backdoor commonly used by China-linked groups.
WHY IT MATTERS
The case shows how a trusted software update path can be turned into a malware delivery channel when validation is weak. Organizations running on-premises collaboration tools may need to check update integrity and apply the latest vendor patch.