A suspected Chinese-linked threat actor has been observed exploiting a zero-day vulnerability in the TrueConf client in campaigns targeting government entities in Southeast Asia. Attackers leveraged the update channel of TrueConf to deliver malware, more specifically a payload linked to the Havoc command-and-control framework.
The flaw (CVE-2026-3502) affects the application’s update validation mechanism, allowing attackers who control an on-premises server to distribute and execute arbitrary files across connected systems.
TrueConf is widely used by governments, military organizations, and critical infrastructure sectors due to its on-premises deployment model, which keeps communications within local networks. The flaw was fixed with the release of TrueConf Windows client version 8.5.3 in March 2026.
In the observed campaign, dubbed ‘TrueChaos’ by Check Point Research, victims received update prompts via the legitimate client. The malicious update package, built using Inno Setup, appeared to upgrade the software while deploying a DLL side-loading attack. It installed a legitimate executable and a malicious DLL (7z-x64.dll) that allowed attackers to perform reconnaissance, maintain persistence, and download additional payloads.
Network analysis revealed communication with attacker-controlled infrastructure running Havoc command-and-control infrastructure, and also identified Havoc demon sample, suggesting that attackers attempted to deploy the Havoc implant. Although Havoc is an open-source post-exploitation framework intended for penetration testing and adversary emulation, it has also been repeatedly abused by threat actors in real-world attacks, including the Chinese-linked Amaranth Dragon campaigns.
Researchers also observed overlapping activity involving ShadowPad malware that may point at possible coordination or shared access among threat actors.