A serious security hole in the TrueConf client video conferencing software has been used in the wild as a zero-day. The vulnerability in question is CVE-2026-3502 (CVSS score: 7.8), which means there is no integrity check when getting application update code. The TrueChaos campaign has been found to use this flaw to likely send the open-source Havoc command-and-control (C2) framework to endpoints that are weak.

There is a fair amount of evidence that a Chinese-nexus threat actor is behind the activity. Starting with version 8.5.3 of the TrueConf Windows client, which came out earlier this month, it has been fixed. the client trusts the update system to work, but it is being used to push a bad installer that uses DLL side-loading to start a DLL backdoor.

The DLL implant has also been seen doing things like reconnaissance, setting up persistence, and getting more payloads from an FTP server ("47.237.15[. ]197") by using the keyboard. It's not clear what the final-stage malware delivered as part of the attack is, but it's very likely that the goal is to install the Havoc implant.

ShadowPad, a complex backdoor that is often used by Chinese hacking groups, also went after the same victim in the same time frame. In 2025, Havoc was linked to another Chinese threat actor called Amaranth-Dragon in attacks on government and law enforcement agencies in Southeast Asia.