CHECK Point Research has identified a zero-day vulnerability in the TrueConf client, tracked as CVE-2026-3502 with a CVSS score of 7.8, rooted in the updater validation mechanism. The flaw allows an attacker who controls an on-premises TrueConf server to distribute and execute arbitrary files across all connected endpoints, and was exploited in-the-wild in a targeted campaign dubbed “TrueChaos” against Southeast Asian government targets, delivering the Havoc payload.
Based on observed TTPs and victimology, the activity is assessed with moderate confidence as associated with a Chinese-nexus threat actor, with overlaps noted to ShadowPad within the same time frame. TrueConf responded by releasing a fix in version 8.5.3, with the current desktop app being 8.5.2 prior to that March 2026 update.
In-the-wild activity involved replacing a legitimate update package via the trusted on-premises server to push a weaponised update, employing DLL side-loading through a malicious 7z-x64[.]dll and related components. The operation underscores how abuse of legitimate update channels can enable multi‑endpoint compromises across government networks.