⚠️ Overview

ShadowHammer is a sophisticated supply-chain attack campaign attributed to the Chinese state-sponsored threat group APT41 (also tracked as Bronze Union, Winnti, or Barium), first publicly disclosed by Kaspersky in March 2019. It falls under the category of trojanized software and backdoor, targeting the ASUS Live Update utility to inject malicious code into legitimate ASUS motherboard firmware update software. The campaign infected over 57,000 ASUS customers globally, with a highly selective secondary payload delivered only to approximately 600 specific MAC addresses identified through a hardcoded list. According to MITRE ATT&CK, this technique is mapped to T1195.001 (Supply Chain Compromise – Compromise Software Dependencies and Development Tools).

🔧 Technical Capabilities

ShadowHammer operates by compromising the digital signing infrastructure of ASUS, allowing attackers to sign trojanized versions of the ASUS Live Update utility (version 3.6.8 to 3.6.10) with legitimate ASUS certificates. The malware embeds a backdoor that checks the victim’s network adapter MAC address against a hardcoded list; if matched, it downloads a second-stage payload from a command-and-control (C2) server hosted on legitimate cloud providers (e.g., Akamai CDN, Amazon AWS). Persistence is achieved by modifying the Windows registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRun to launch the trojanized ASUSLiveUpdate.exe on boot. For evasion, the malware uses RC4 encryption for C2 communications, domain generation algorithms (DGAs), and mimics legitimate network traffic by using HTTP POST requests with randomized user-agent strings. No self-propagation mechanism exists; infection relies entirely on the compromised software update channel.

📜 History & Notable Incidents

The first evidence of ShadowHammer emerged in June 2018 when attackers infiltrated ASUS’s build environment to insert the backdoor; the trojanized updates were distributed from July 2018 to January 2019. Kaspersky’s 2019 report “Operation ShadowHammer” revealed that ASUS’s own update servers were not compromised, but rather the code-signing process pipeline. No CVEs are directly associated as no zero-day exploit was used—the attack exploited weak operational security in the software update mechanism. No law enforcement actions have been publicly attributed, but the incident prompted ASUS to issue a security advisory and release a detection tool for affected users. The campaign also inspired similar supply-chain attacks by the same group, such as the CCleaner compromise in 2017.

🔍 Detection Indicators

Known file hashes for trojanized ASUSUpdateSetup.dll include SHA256: 8926e7f5e3e4a0b3b7c8d9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a90 (example; actual hashes vary per version). Behavioral signatures include ASUSLiveUpdate.exe making outbound HTTP connections to domains such as asus-cdn[.]akamai[.]net or update[.]asus[.]com (legitimate, but with anomalous request patterns). Network IOCs include C2 IP 91.121.87[.]157 and 195.154.171[.]143 (Kaspersky report). Registry modifications under HKLMSOFTWAREASUSLiveUpdate setting value “SelfUpdate” to a malicious DLL path. No unique mutex names were publicly documented.

☠️ Risk & Impact

The primary damage is espionage and data exfiltration: targeted victims (specific MAC addresses) received second-stage payloads capable of stealing credentials, system information, and installing additional malware. Affected sectors include high-value targets in technology, government, and defense industries in North America, Europe, and Asia. While no direct financial loss data has been published, the reputational harm to ASUS and the broader supply-chain trust was significant. The breach exposed the vulnerability of hardware vendor update channels as a vector for state-sponsored cyber operations.

🛡️ Mitigation

Recommended defensive measures include verifying digital signatures of all software updates against known good hashes and maintaining inventory of installed vendor tools. Organizations should implement application whitelisting and monitor for anomalous ASUSLiveUpdate network connections. ASUS released a patched version of Live Update (v3.6.10+ with security verification) and a detection tool. Security vendors such as Kaspersky, Symantec, and CrowdStrike provide YARA rules and endpoint detection rules (e.g., MITRE ATT&CK technique T1554 – Compromise Client Software Binary).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.