TrueConf Zero-Day Exploited in Asian Government Attacks

Summary

A Chinese threat actor exploited CVE-2026-3502, a zero-day in TrueConf video conferencing software, by compromising an on-premises server and distributing a malicious update package to multiple government entities across Asia. The vulnerability exists because TrueConf clients do not verify update integrity before execution, allowing attackers to achieve reconnaissance, lateral movement, and persistence. TrueConf patched the issue in version 8.5.3, and CISA added it to the Known Exploited Vulnerabilities catalog.

Full text

Chinese hackers have exploited a zero-day vulnerability in the TrueConf video conferencing software in attacks against government entities in Asia, Check Point reports. The exploited bug, tracked as CVE-2026-3502 (CVSS score of 7.8), exists because the application does not properly verify updates before applying them. This results in the execution of malicious code if an attacker could tamper with the update code, and this is the mechanism that was exploited in the observed attack, Check Point says. TrueConf can be deployed on premises within a private local network, without access to the internet, and is typically used by government, military, and critical infrastructure entities for communication autonomy and privacy. “By hosting the server on internal hardware, all audio, video, and chat traffic remains strictly contained on-site, with offline activation available for fully air-gapped systems,” Check Point explains. The TrueConf client’s update flow relies on the connected on-premises server to fetch and install newer versions, but does not perform the necessary integrity and authenticity checks before running the installer.Advertisement. Scroll to continue reading. “TrueConf client update starts when the client detects a version mismatch in favor of the TrueConf on-premises server, the client alerts the user that a newer version is available and offers to download it,” Check Point notes. As part of the observed attack, which CheckPoint named TrueChaos, the hackers compromised the on-premises TrueConf server, replaced the update package with a malicious one, and then likely sent a link to the target to launch the TrueConf client and trigger the update flow. “The compromised TrueConf on-premises server was operated by the governmental IT department and served as a video conferencing platform for dozens of government entities across the country, which were all supplied with the same malicious update,” Check Point notes. Alongside legitimate TrueConf installation components, the modified update package dropped a malicious library and a legitimate executable abused for DLL sideloading to execute the library. The implant allowed the attackers to perform reconnaissance, prepare for lateral movement, achieve persistence, and fetch additional payloads. While it did not retrieve the final payload, Check Point observed network communication to an IP used as command-and-control (C&C) infrastructure for Havoc, an open source post-exploitation framework. The cybersecurity firm believes a Chinese threat actor was responsible for the intrusion. “The exploitation of CVE-2026-3502 did not require the attacker to compromise each endpoint individually. Instead, the attacker abused the trusted relationship between a central on-premises TrueConf server and its clients,” Check Point notes. TrueConf fixed the zero-day in version 8.5.3 of the client, released in March. On Thursday, the US cybersecurity agency CISA added the bug to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it by April 16. Related: Critical ShareFile Flaws Lead to Unauthenticated RCE Related: React2Shell Exploited in Large-Scale Credential Harvesting Campaign Related: Cisco Patches Critical and High-Severity Vulnerabilities Related: Google Addresses Vertex Security Issues After Researchers Weaponize AI Agents Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Cisco Patches Critical and High-Severity Vulnerabilities250,000 Affected by Data Breach at Nacogdoches Memorial HospitalMercor Hit by LiteLLM Supply Chain AttackSophisticated CrystalX RAT EmergesLinx Security Raises $50 Million for Identity Security and GovernanceDepthfirst Raises $80 Million in Series B FundingNew DeepLoad Malware Dropped in ClickFix AttacksUS Charges Uranium Crypto Exchange Hacker Latest News In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by RansomwareCritical ShareFile Flaws Lead to Unauthenticated RCEMobile Attack Surface Expands as Enterprises Lose ControlReact2Shell Exploited in Large-Scale Credential Harvesting CampaignT-Mobile Sets the Record Straight on Latest Data Breach FilingNorth Korean Hackers Drain $285 Million From Drift in 10 SecondsCritical Vulnerability in Claude Code Emerges Days After Source LeakApple Rolls Out DarkSword Exploit Protection to More Devices Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveScott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea.Kai has named Nick Degnan as Chief Revenue Officer.Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind.More People On The MoveExpert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-3502
• malware — Havoc

Entities