'By replacing a legitimate update with a malicious one, they turned the product’s update flow into a malware distribution channel': Experts find flaw in True Conf video conferencing tool used by governments, military | Tech Radar

Overview

News, deals, reviews, guides and more on the newest smartphones

News, deals, reviews, guides and more on the newest computing gadgets

Details

Start exploring exclusive deals, expert advice and more

Unlock and manage exclusive Techradar member rewards.

'By replacing a legitimate update with a malicious one, they turned the product’s update flow into a malware distribution channel': Experts find flaw in True Conf video conferencing tool used by governments, military

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Unlock instant access to exclusive member features.

Get full access to premium articles, exclusive features and a growing list of member rewards.

Sophisticated supply chain attack exploited True Conf update process

Vulnerability patched with new True Conf version 8.5.3

Southeast Asian governments were recently targeted by a highly sophisticated supply chain attack as part of a wider cyber-espionage campaign, which experts believe is the work of the Chinese government.

Security researchers Check Point detailed their findings on Operation True Chaos, a campaign revolving around a zero-day vulnerability in True Conf, a video conferencing and collaboration platform which runs either in the cloud or on a company’s own servers.

It works through a client-server model, often inside a private local network, allowing organizations to host meetings, messaging, and file sharing without relying on the public internet.

Dangerous new malware exploits Win RAR flaw - here's what we know

Chinese hackers hide malware within Windows and Google Drive to hit government targets

Notepad++ hit by suspected Chinese state-sponsored hackers - here's what we know so far

True Conf is mostly used by governments, defense, and large enterprises that require strict data control and privacy, as its key differentiator is its on-premises, self-hosted architecture, which keeps all communications internal and secure, combined with scalable video technology that adapts streams to each user’s device and bandwidth.

However True Conf's unique selling proposition was also its weakest point in this attack.

When users run the client, it connects to the local server and checks for updates - and if it sees a mismatch between its version, and the server’s version, it can initiate an update.

The problem stemmed from the fact that this update was done without sufficient checks, allowing threat actors to push arbitrary code via a legitimate update process.

This bug is now tracked as CVE-2026-3502 and was given a severity score of 7.8/10 (high). “If the payload is executed or installed by the updater, this may result in arbitrary code execution in the context of the updating process or user,” the NVD explained.

This still leaves the question of compromising the local server. In its report, Check Point does not discuss this process, so we don’t know how it happened, and what malware was used to attack this endpoint.

However, threat actors used the access to push Havoc - an open source post-exploitation framework designed for advanced red teaming and adversary simulation. It provides modular capabilities for stealthy command and control (C2) operations, and offers features like in-memory execution, encrypted communication, and different evasion techniques.

Microsoft warns of new signed malware which deploys remote monitoring tools as backdoors

Top antivirus hacked to push out a malicious update - find out if you're affected

Experts warn this new Chinese Linux malware could be preparing something seriously worrying

Check Point claims TTPs and C2s point to a China-nexus threat actor (Image credit: Shutterstock)

Given the type of malware being deployed in the campaign, as well as the victimology, Check Point concluded that this was an espionage campaign. With the help of Havoc, the crooks were able to perform a “series of hands-on-keyboard actors focused on reconnaissance, environment preparation, persistence, and the retrieval of additional payloads.”

A precise number of victims, as well as the industries they operate in, cannot be determined, Check Point added. This is mostly because many True Conf instances run locally, on networks that are not connected to the wider internet. Still, the researchers said they saw a “series of targeted attacks against government entities in South Asia”, which suggests multiple incursions.

The tactics, techniques, and procedures, as well as the command-and-control infrastructure, all point to a Chinese-nexus threat actor, CPR concluded, without sharing any names.

True Conf has since fixed the vulnerability and released a patch. All users running versions 8.5.2 and older are advised to upgrade to version 8.5.3, which was released in March 2026.

➡️ Read our full guide to the best antivirus

1. Best overall: Bitdefender Total Security
2. Best for families: Norton 360 with Life Lock
3. Best for mobile: Mc Afee Mobile Security

Follow Tech Radar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow Tech Radar on Tik Tok for news, reviews, unboxings in video form, and get regular updates from us on Whats App too.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, Io T, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

1 Netflix has released the first trailer for its next animated movie Swapped — but, even with Michael B. Jordan's star power, I can't see it being the next Kpop Demon Hunters

2'Switch to MAX, by any means necessary' — Inside Russia’s great internet crackdown

3 Google has doubled its storage allowance for its AI Pro plan, and it’s just one-upped Chat GPT — here’s how they compare

4 Exclusive: I put the foldable Honor Magic V6 in a washing machine to test its durability — here's what happened next

5 Nintendo Switch 2 price hikes are 'inevitable', says former Nintendo sales lead — and that's not an exaggeration

Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.

Key Takeaways

• News, deals, reviews, guides and more on the newest smartphones
• News, deals, reviews, guides and more on the newest computing gadgets
• Start exploring exclusive deals, expert advice and more
• Unlock and manage exclusive Techradar member rewards

• 'By replacing a legitimate update with a malicious one, they turned the product’s update flow into a malware distribution channel': Experts find flaw in True Conf video conferencing tool used by governments, military