A Zero-Day Turned TrueConf's Update Channel Into a Malware Delivery System

John Z Black Apr 3, 2026 Threat Intelligence #zero-day #supply-chain #TrueConf #espionage #China #CVE-2026-3502

Compromise one conference server. Every connected endpoint gets malware through a “software update.” That’s Operation TrueChaos.

Check Point found that a Chinese-nexus threat actor exploited CVE-2026-3502 in TrueConf’s video conferencing platform. The flaw is embarrassingly simple: when the TrueConf client checks for updates, there’s no signature verification. No integrity check. Control the server, and you control what every client downloads and runs.

The attackers compromised an on-premises TrueConf server serving dozens of Southeast Asian government agencies. They swapped in a trojanized update that actually did upgrade TrueConf (nice touch) but also dropped a malicious DLL for classic side-loading. From there: Havoc framework, hands-on-keyboard espionage, the whole playbook.

TrueConf serves over 100,000 organizations globally, with heavy adoption in government and military environments. Its on-premises architecture is designed for places that keep comms off the public internet. The irony: those environments assumed internal updates were safe. That assumption was the real vulnerability.

CISA added it to the Known Exploited Vulnerabilities catalog. If you run TrueConf, update to 8.5.3 immediately.

How a missing signature check became a government espionage vector