A Chinese threat actor exploited a zero-day in TrueConfβs update mechanism (CVE-2026-3502) to distribute a malicious update from a compromised on-premises server in attacks against government entities in Asia. The trojanized installer used DLL sideloading to deploy an implant for reconnaissance, persistence and C2 communications, and TrueConf released version 8.5.3 while CISA added the bug to its KEV catalog. #TrueConf #Havoc
Keypoints
- Attackers exploited CVE-2026-3502 in TrueConfβs update flow to execute malicious code.
- A compromised on-premises TrueConf server pushed a tampered update to dozens of government clients.
- The malicious package used DLL sideloading to install an implant enabling reconnaissance, lateral movement, and persistence.
- Check Point observed C2 traffic associated with the Havoc framework and attributed the campaign to a Chinese threat actor.
- TrueConf patched the flaw in client version 8.5.3 and CISA added the vulnerability to its KEV catalog with a remediation deadline.
Read More: https://www.securityweek.com/trueconf-zero-day-exploited-in-asian-government-attacks/