**Zero-Day Vulnerability Exploited: Government Networks Targeted with Malware**
In a disturbing revelation, Check Point researchers have uncovered a sophisticated attack campaign that leveraged a zero-day vulnerability in the TrueConf videoconferencing platform to distribute malware within government networks in Southeast Asia. The attackers, suspected to be linked to a Chinese-nexus threat actor, exploited the vulnerability (CVE-2026-3502) to compromise software already deployed inside government environments, highlighting the importance of robust cybersecurity measures.
The malicious campaign, dubbed "Operation TrueChaos," relied on a clever manipulation of the trusted update mechanism within the TrueConf client application. The attackers gained control of the TrueConf servers in some government entities and replaced the update packages with malicious files. When victims interacted with the compromised updates, their clients retrieved the weaponized payloads, which were then used to deploy the Havoc open-source post-exploitation framework.
**The Anatomy of the Attack**
TrueConf is a videoconferencing platform designed for private local networks (LANs) without internet access, making it an attractive target for nation-state threat actors. The solution has been deployed in government departments, defense institutions, and critical infrastructure operators, who rely on its secure communication features.
However, researchers discovered that the attackers exploited CVE-2026-3502, which allows the TrueConf client application to download updates from a centralized server without verifying their integrity. This vulnerability made it possible for attackers to replace legitimate update packages with malicious files, ensuring that clients retrieved and installed the compromised payloads through the normal update process.
"The infections began when the TrueConf client application launched, probably by a link sent to the target from the attacker," Check Point researchers explained. "Prior to the victim's interaction, the attacker had already replaced the update package on the TrueConf on-premises server with a weaponized version, ensuring that the client retrieved a malicious file through the normal update process."
**The Malware Delivered via Updates**
In observed cases, attackers used the update channel to deliver malicious payloads, which were then used to deploy the Havoc open-source post-exploitation framework. Once installed, it enabled reconnaissance, persistence, and communication with command-and-control infrastructure.
Researchers believe that Operation TrueChaos is linked to a Chinese-nexus threat actor, based on overlaps in tactics, infrastructure, and targeting. However, they emphasize that the attribution is not definitive and requires further investigation.
**The Patching of CVE-2026-3502**
TrueConf has since patched the vulnerability in its Windows client version 8.5.3, released in March 2026. Organizations running earlier versions remain exposed to this critical vulnerability, highlighting the importance of keeping software up-to-date with the latest security patches.
**Recommendations for Affected Organizations**
Researchers advise organizations running TrueConf on their networks to review systems for signs of compromise by focusing on suspicious update behavior and related artifacts. This includes:
* Monitoring system logs for unusual activity * Analyzing file integrity monitoring (FIM) data for changes in configuration or deployment * Reviewing network traffic for communication with unknown command-and-control infrastructure
By taking these steps, organizations can mitigate the risk of malware distribution via compromised updates and maintain a robust cybersecurity posture.
The discovery of Operation TrueChaos serves as a stark reminder of the importance of cybersecurity measures in protecting sensitive government networks. As nation-state threat actors continue to evolve their tactics, it is essential for organizations to stay vigilant and adapt their security strategies to address emerging vulnerabilities.