{ "id": "a895a316-667c-494f-9c4d-8ef76e06f3bf", "created_at": "2026-04-06T00:06:34.20532Z", "updated_at": "2026-04-10T03:37:58.803584Z", "deleted_at": null, "sha1_hash": "1a73c07462865c456f07402ea49ec124833ef2b5", "title": "Some ASUS Updates Drop Backdoors on PCs in ‘Operation ShadowHammer’", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48768, "plain_text": "Some ASUS Updates Drop Backdoors on PCs in ‘Operation\r\nShadowHammer’\r\nBy Tara Seals\r\nPublished: 2019-03-25 · Archived: 2026-04-05 23:16:02 UTC\r\nThe attack appears to be associated with a China-backed APT actor.\r\nA supply-chain attack dubbed “Operation ShadowHammer” has been uncovered, targeting users of the ASUS Live\r\nUpdate Utility with a backdoor injection. The China-backed BARIUM APT is suspected to be at the helm of the\r\nproject.\r\nAccording to Kaspersky Lab, the campaign ran from June to at least November 2018 and may have impacted\r\nmore than a million users worldwide – though the adversaries appear to have been after specific victims in Asia.\r\nThe threat surface is not small: The ASUS Live Update Utility is a pre-installed utility in most new ASUS\r\ncomputers, for automatic BIOS, UEFI, drivers and applications updates. Popular among gamers, ASUS ranks fifth\r\nin the laptop market, with a market share of 7.4 percent as of August 2018, according to TrendForce. With an\r\nestimated 41.08 million laptops shipped in that quarter, it means ASUS sold around 3 million of them for that time\r\nperiod. Gartner meanwhile pegged ASUS’ overall PC sales, including desktops and notebooks, to be just over 4\r\nmillion in the third quarter of 2018 (translating into a 6 percent overall PC market share).\r\nTo compromise the utility, Kaspersky Lab determined that the cyberattackers used stolen digital certificates used\r\nby ASUS to sign legitimate binaries, and altered older versions of ASUS software to inject their own malicious\r\ncode. Trojanized versions of the utility were then signed with legitimate certificates and were hosted on and\r\ndistributed from official ASUS update servers – which made them mostly invisible to the vast majority of\r\nprotection solutions, according to Kaspersky Lab.\r\nWhile this means that potentially every user of the affected software could have become a victim, researchers said\r\nthat, true to their APT nature, the attackers were interested in a specific subset of users. About 600 hard-coded\r\nMAC addresses were found in the backdoor code (MAC addresses uniquely identify a network adaptor that\r\nconnects a computer to a network); if the victim’s machine didn’t match up with one of the specified MAC\r\naddresses, the malware went dormant. If it did, the malware downloaded the next payload.\r\nIn all, there were about 230 different backdoored samples seen by researchers taking aim at those Mac addresses.\r\n“The modular approach and extra precautions taken when executing code, to prevent accidental code or data\r\nleakage, indicates that it was very important for the actors behind this sophisticated attack to remain undetected,\r\nwhile hitting some very specific targets with surgical precision,” researchers said in a posting on Monday. “Deep\r\nhttps://threatpost.com/asus-pc-backdoors-shadowhammer/143129/\r\nPage 1 of 2\n\ntechnical analysis shows that the arsenal of the attackers is very advanced and reflects a very high level of\r\ndevelopment within the group.”\r\nIt should be noted that the backdoors dropped on other ASUS users’ PCs presumably remain there, even if they\r\nweren’t “activated” by matching one of the MAC addresses. It’s unclear whether there’s the potential for further\r\nattacks on this group.\r\n“The selected vendors are extremely attractive targets for APT groups that might want to take advantage of their\r\nvast customer base,” said Vitaly Kamluk, director of Global Research and Analysis Team, APAC, at Kaspersky\r\nLab. “It is not yet very clear what the ultimate goal of the attackers was, and we are still researching who was\r\nbehind the attack.”\r\nThat said, the “fingerprints” left on the samples by the attackers – including techniques used to achieve\r\nunauthorized code execution – suggest that the BARIUM APT is behind the effort, according to the researchers.\r\nBARIUM, a Chinese state player that also goes by APT17, Axiom and Deputy Dog, was previously linked to the\r\nShadowPad and CCleaner incidents, which were also supply-chain attacks. that used software updates to sneak\r\nonto machines.\r\nIn the 2017 ShadowPad attack, the update mechanism for Korean server management software provider\r\nNetSarang was compromised to serve up an eponymous backdoor. NetSarang, which has headquarters in South\r\nKorea and the United States, removed the backdoored update, but not before it was activated on at least one\r\nvictim’s machine in Hong Kong.\r\nIn the next incident, also in 2017, software updates for the legitimate computer cleanup tool CCleaner was found\r\nto have been compromised by hackers to taint them with the same ShadowPad backdoor. The incident exposed\r\nmillions of computers but, like ShadowHammer, out of 1.65 million malware installs, only a few, about 40, were\r\nof interest to the attackers. From there, 11 companies were ultimately infiltrated. Once the backdoor is activated\r\non a targeted machine, various keyloggers and other data-gathering payloads were then fetched from command-and-control.\r\nASUS is also not alone in being used as a conduit for attacks; Kaspersky Lab researchers said that the search for\r\nsimilar malware has revealed software from three other vendors in Asia have all been backdoored with very\r\nsimilar methods and techniques.\r\nKaspersky Lab said that it has reported the issue to ASUS and other vendors but has not received a response.\r\nThreatpost has also reached out to the PC-maker and will update this post with any comments or responses.\r\nSource: https://threatpost.com/asus-pc-backdoors-shadowhammer/143129/\r\nhttps://threatpost.com/asus-pc-backdoors-shadowhammer/143129/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://threatpost.com/asus-pc-backdoors-shadowhammer/143129/" ], "report_names": [ "143129" ], "threat_actors": [ { "id": "cea5ceec-0f14-4e34-bd0e-4074bc1a707d", "created_at": "2022-10-25T15:50:23.629983Z", "updated_at": "2026-04-10T02:00:05.362084Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "Group 72" ], "source_name": "MITRE:Axiom", "tools": [ "ZxShell", "gh0st RAT", "Zox", "PlugX", "Hikit", "PoisonIvy", "Derusbi", "Hydraq" ], "source_id": "MITRE", "reports": null }, { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "1c97ccfd-1888-492c-b7b9-bb52c4c3809b", "created_at": "2023-01-06T13:46:38.940529Z", "updated_at": "2026-04-10T02:00:03.152806Z", "deleted_at": null, "main_name": "Operation ShadowHammer", "aliases": [], "source_name": "MISPGALAXY:Operation ShadowHammer", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "5c74936a-79d1-41b8-81eb-01d03c90a26b", "created_at": "2022-10-25T16:07:23.371052Z", "updated_at": "2026-04-10T02:00:04.570621Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "G0001", "Group 72", "Operation SMN" ], "source_name": "ETDA:Axiom", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BlackCoffee", "BleDoor", "Chymine", "Darkmoon", "DeputyDog", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PNGRAT", "PlugX", "Poison Ivy", "RbDoor", "RedDelta", "RibDoor", "Roarur", "SPIVY", "Sensocode", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "ZXShell", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433994, "ts_updated_at": 1775792278, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a73c07462865c456f07402ea49ec124833ef2b5.pdf", "text": "https://archive.orkl.eu/1a73c07462865c456f07402ea49ec124833ef2b5.txt", "img": "https://archive.orkl.eu/1a73c07462865c456f07402ea49ec124833ef2b5.jpg" } }