ASUS Live Update delivered targeted backdoors

ShadowHammer used the ordinary ASUS update path. Trojanized Live Update installers were signed as ASUS software and hosted on official ASUS update servers, which made them look like routine maintenance to users and endpoint controls.

The malware was broad in delivery and narrow in intent. Kaspersky saw more than 57,000 users install backdoored updates in its own telemetry and estimated the real count could be much larger. The code then checked hardcoded network-adapter MAC addresses to select a smaller set of intended targets.

That design kept the noisy part in the supply chain and the costly part in the second stage. Most infected systems carried a signed backdoor that did little. Systems matching the target list could receive follow-on action.

ASUS acknowledged the incident after notification and issued updated tooling. The case remains a clean example of targeted espionage hidden inside mass distribution: official server, valid signature, malicious installer, selective activation.

Motive

Espionage Highly Targeted

Attribution

State

Cause

Update Server Compromise Stolen Certificates

Transitive

No

Actor

Nation-state

User Impact

57000

• Operation ShadowHammersecurelist.com
• Operation ShadowHammer: a high-profile supply chain attacksecurelist.com
• ShadowHammer Backdoormauronz.github.io
• Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computersvice.com
• Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computersvice.com
• ASUS Response to Media Reports Regarding ASUS Live Update Tool Attackasus.com