Zero-Day Vulnerability in TrueConf Exposes Users to Malware via Updates
Sophisticated Cyberattack Campaign Targets Government Networks
Researchers at Check Point have discovered a complex cyberattack campaign aimed at government networks in Southeast Asia, exploiting a previously unknown vulnerability in the TrueConf video conferencing platform.
Attack Details
- The attack utilizes a zero-day vulnerability, known as CVE-2026-3502, which allows attackers to compromise software already deployed within government environments.
- The TrueConf platform is designed for private local networks (LANs), making it an attractive target for nation-state threat actors seeking to infiltrate sensitive government networks.
The attackers launched the compromised TrueConf client application, prompting victims to receive an update notification for a newer version. However, the update package was tampered with by the attackers, replacing the legitimate update on the organization’s on-premises server with a malicious one. Upon installation, the client retrieved and installed a weaponized payload, enabling the deployment of the Havoc open-source post-exploitation framework.
The researchers believe that the Operation TrueChaos campaign is linked to a Chinese-nexus threat actor, citing similarities in tactics, infrastructure, and targeting.
Vulnerable Systems and Mitigation
- Organizations utilizing earlier versions of the TrueConf Windows client remain vulnerable.
- Those running version 8.5.3 or later are protected against this specific vulnerability.
- To mitigate potential threats, researchers recommend reviewing systems for signs of compromise, focusing on suspicious update behavior and related artifacts.
Law enforcement agencies and cybersecurity professionals should remain vigilant in monitoring these types of attacks, as they pose significant risks to sensitive government networks and critical infrastructure.
About Author
English