Chinese hackers have exploited a zero-day vulnerability in the TrueConf video conferencing software in attacks against government entities in Asia, Check Point reports.
The exploited bug, tracked as CVE-2026-3502 (CVSS score of 7.8), exists because the application does not properly verify updates before applying them.
This results in the execution of malicious code if an attacker could tamper with the update code, and this is the mechanism that was exploited in the observed attack, Check Point says.
TrueConf can be deployed on premises within a private local network, without access to the internet, and is typically used by government, military, and critical infrastructure entities for communication autonomy and privacy.
“By hosting the server on internal hardware, all audio, video, and chat traffic remains strictly contained on-site, with offline activation available for fully air-gapped systems,” Check Point explains.
The TrueConf client’s update flow relies on the connected on-premises server to fetch and install newer versions, but does not perform the necessary integrity and authenticity checks before running the installer.
“TrueConf client update starts when the client detects a version mismatch in favor of the TrueConf on-premises server, the client alerts the user that a newer version is available and offers to download it,” Check Point notes.
As part of the observed attack, which CheckPoint named TrueChaos, the hackers compromised the on-premises TrueConf server, replaced the update package with a malicious one, and then likely sent a link to the target to launch the TrueConf client and trigger the update flow.
“The compromised TrueConf on-premises server was operated by the governmental IT department and served as a video conferencing platform for dozens of government entities across the country, which were all supplied with the same malicious update,” Check Point notes.
Alongside legitimate TrueConf installation components, the modified update package dropped a malicious library and a legitimate executable abused for DLL sideloading to execute the library.
The implant allowed the attackers to perform reconnaissance, prepare for lateral movement, achieve persistence, and fetch additional payloads.
While it did not retrieve the final payload, Check Point observed network communication to an IP used as command-and-control (C&C) infrastructure for Havoc, an open source post-exploitation framework. The cybersecurity firm believes a Chinese threat actor was responsible for the intrusion.
“The exploitation of CVE-2026-3502 did not require the attacker to compromise each endpoint individually. Instead, the attacker abused the trusted relationship between a central on-premises TrueConf server and its clients,” Check Point notes.
TrueConf fixed the zero-day in version 8.5.3 of the client, released in March. On Thursday, the US cybersecurity agency CISA added the bug to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it by April 16.
Related: Critical ShareFile Flaws Lead to Unauthenticated RCE
Related: React2Shell Exploited in Large-Scale Credential Harvesting Campaign
Related: Cisco Patches Critical and High-Severity Vulnerabilities
Related: Google Addresses Vertex Security Issues After Researchers Weaponize AI Agents
Facts Only
Chinese hackers exploited a zero-day vulnerability (CVE-2026-3502) in TrueConf video conferencing software.
The vulnerability, with a CVSS score of 7.8, allows malicious code execution during software updates.
The attack, named "TrueChaos," targeted government entities in Asia.
Hackers compromised an on-premises TrueConf server operated by a governmental IT department.
The server distributed malicious updates to dozens of government entities.
The malicious update included a legitimate TrueConf executable and a malicious library for DLL sideloading.
The implant enabled reconnaissance, lateral movement, persistence, and additional payload retrieval.
Check Point linked the attack to a Chinese threat actor and observed C&C communication with Havoc infrastructure.
TrueConf released a patch in version 8.5.3 in March.
CISA added the vulnerability to its KEV catalog, requiring federal agencies to patch by April 16.
TrueConf is used by government, military, and critical infrastructure entities for secure communication.
The software can operate in air-gapped environments, with updates managed via internal servers.
Executive Summary
Chinese hackers exploited a zero-day vulnerability (CVE-2026-3502) in TrueConf video conferencing software to target government entities in Asia. The flaw, which allows malicious code execution during updates, was used in an attack dubbed "TrueChaos." The hackers compromised an on-premises TrueConf server operated by a governmental IT department, replacing legitimate updates with malicious ones. This server served dozens of government entities, all of which received the tainted update. The attack involved dropping a malicious library alongside legitimate TrueConf components, enabling reconnaissance, lateral movement, and persistence. Check Point linked the intrusion to a Chinese threat actor, noting communication with a C&C server associated with the Havoc post-exploitation framework. TrueConf patched the vulnerability in version 8.5.3, released in March, and CISA added it to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch by April 16.
The attack highlights risks in on-premises software deployment, where trust in internal servers can be exploited. While the final payload was not retrieved, the campaign demonstrates sophisticated tactics targeting high-value government and critical infrastructure sectors. The incident underscores the broader trend of supply chain attacks leveraging trusted update mechanisms.
Full Take
The strongest version of this narrative is that it exposes a critical vulnerability in trusted on-premises software, where the very mechanisms designed for security—internal servers and air-gapped systems—were weaponized against users. The attack demonstrates how threat actors exploit implicit trust in update processes, bypassing traditional perimeter defenses. The involvement of a Chinese threat actor, while plausible given historical patterns, remains an attribution that requires scrutiny, as such claims often serve geopolitical narratives. The technical details provided by Check Point are robust, but the absence of the final payload leaves room for speculation about the attackers' ultimate objectives.
Patterns detected: ARC-0024 Ambiguity (incomplete disclosure of final payload), ARC-0043 Motte-and-Bailey (broad claim of "Chinese hackers" without definitive evidence).
Root cause: The paradigm here is the tension between autonomy and vulnerability in closed systems. On-premises deployments are favored for privacy and control, yet they create single points of failure when compromised. The assumption that internal servers are inherently trustworthy is the Achilles' heel exploited in this attack. Historically, this echoes supply chain attacks like SolarWinds, where trusted vendors became vectors for intrusion.
Implications: For human agency, this underscores the fragility of digital sovereignty. Governments and critical infrastructure entities face a dilemma: rely on external vendors with potential backdoors or maintain internal systems that, if breached, offer attackers a master key. The costs are borne by end-users who assume their communications are secure, while the benefits accrue to attackers who exploit systemic trust.
Bridge questions: How might this attack reshape trust in on-premises solutions? What alternative update mechanisms could mitigate such risks without sacrificing autonomy? Would the attribution to China hold up under independent scrutiny, or is it a strategic framing?
Counterstrike scan: A coordinated influence campaign would amplify fears of Chinese cyber dominance, using this incident to justify broader surveillance or offensive cyber measures. The actual content, however, focuses on technical details and mitigation, avoiding overt geopolitical framing. No structural alignment with a hypothetical attack playbook is detected.
Sentinel — Human
The article appears to be likely human-written based on stylistic variations, idiosyncratic emphasis, and specific attribution.
