{ "id": "9fd96a4b-8760-4651-8584-7ca335ae31c3", "created_at": "2026-04-06T00:09:30.84762Z", "updated_at": "2026-04-10T03:32:21.571186Z", "deleted_at": null, "sha1_hash": "5649069a74bf22614de960ea09d194771721e989", "title": "Operation ShadowHammer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 197636, "plain_text": "Operation ShadowHammer\r\nBy GReAT\r\nPublished: 2019-03-25 · Archived: 2026-04-02 10:47:26 UTC\r\nEarlier today, Motherboard published a story by Kim Zetter on Operation ShadowHammer, a newly discovered\r\nsupply chain attack that leveraged ASUS Live Update software.\r\nWhile the investigation is still in progress and full results and technical paper will be published during SAS 2019\r\nconference in Singapore, we would like to share some important details about the attack.\r\nIn January 2019, we discovered a sophisticated supply chain attack involving the ASUS Live Update Utility.\r\nThe attack took place between June and November 2018 and according to our telemetry, it affected a large number\r\nof users.\r\nASUS Live Update is an utility that is pre-installed on most ASUS computers and is used to automatically update\r\ncertain components such as BIOS, UEFI, drivers and applications. According to Gartner, ASUS is the world’s 5th-largest PC vendor by 2017 unit sales. This makes it an extremely attractive target for APT groups that might want\r\nto take advantage of their userbase.\r\nBased on our statistics, over 57,000 Kaspersky users have downloaded and installed the backdoored version\r\nof ASUS Live Update at some point in time. We are not able to calculate the total count of affected users based\r\nonly on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting\r\nover a million users worldwide.\r\nThe goal of the attack was to surgically target an unknown pool of users, which were identified by their\r\nnetwork adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the\r\ntrojanized samples and this list was used to identify the actual intended targets of this massive operation. We were\r\nable to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there\r\nmight be other samples out there with different MAC addresses in their list.\r\nWe believe this to be a very sophisticated supply chain attack, which matches or even surpasses the Shadowpad\r\nand the CCleaner incidents in complexity and techniques. The reason that it stayed undetected for so long is partly\r\ndue to the fact that the trojanized updaters were signed with legitimate certificates (eg: “ASUSTeK Computer\r\nInc.”). The malicious updaters were hosted on the official liveupdate01s.asus[.]com and liveupdate01.asus[.]com\r\nASUS update servers.\r\nhttps://securelist.com/operation-shadowhammer/89992/\r\nPage 1 of 4\n\nDigital signature on a trojanized ASUS Live Update setup installer\r\nCertificate serial number: 05e6a0be5ac359c7ff11f4b467ab20fc\r\nWe have contacted ASUS and informed them about the attack on Jan 31, 2019, supporting their investigation with\r\nIOCs and descriptions of the malware.\r\nAlthough precise attribution is not available at the moment, certain evidence we have collected allows us to link\r\nthis attack to the ShadowPad incident from 2017. The actor behind the ShadowPad incident has been publicly\r\nidentified by Microsoft in court documents as BARIUM. BARIUM is an APT actor known to be using the Winnti\r\nbackdoor. Recently, our colleagues from ESET wrote about another supply chain attack in which BARIUM was\r\nalso involved, that we believe is connected to this case as well.\r\nA victim distribution by country for the compromised ASUS Live Updater looks as follows:\r\nhttps://securelist.com/operation-shadowhammer/89992/\r\nPage 2 of 4\n\nIt should be noted that the numbers are also highly influenced by the distribution of Kaspersky users around the\r\nworld. In principle, the distribution of victims should match the distribution of ASUS users around the world.\r\nWe’ve also created a tool which can be run to determine if your computer has been one of the surgically selected\r\ntargets of this attack. To check this, it compares MAC addresses of all adapters to a list of predefined values\r\nhardcoded in the malware and alerts if a match was found.\r\nDownload an archive with the tool (.exe)\r\nAlso, you may check MAC addresses online. If you discover that you have been targeted by this operation, please\r\ne-mail us at: shadowhammer@kaspersky.com\r\nIOCs\r\nKaspersky Lab verdicts for the malware used in this and related attacks:\r\nHEUR:Trojan.Win32.ShadowHammer.gen\r\nDomains and IPs:\r\nasushotfix[.]com\r\n141.105.71[.]116\r\nSome of the URLs used to distribute the compromised packages:\r\nhxxp://liveupdate01.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip\r\nhxxps://liveupdate01s.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER362.zip\r\nhxxps://liveupdate01s.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip\r\nhttps://securelist.com/operation-shadowhammer/89992/\r\nPage 3 of 4\n\nhxxps://liveupdate01s.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER359.zip\r\nHashes (Liveupdate_Test_VER365.zip):\r\naa15eb28292321b586c27d8401703494\r\nbebb16193e4b80f4bc053e4fa818aa4e2832885392469cd5b8ace5cec7e4ca19\r\nA full set of IOCs and Yara rules is available to customers of Kaspersky Intelligence Reporting service – contact\r\nintelreports@kaspersky.com\r\nSource: https://securelist.com/operation-shadowhammer/89992/\r\nhttps://securelist.com/operation-shadowhammer/89992/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://securelist.com/operation-shadowhammer/89992/" ], "report_names": [ "89992" ], "threat_actors": [ { "id": "1c97ccfd-1888-492c-b7b9-bb52c4c3809b", "created_at": "2023-01-06T13:46:38.940529Z", "updated_at": "2026-04-10T02:00:03.152806Z", "deleted_at": null, "main_name": "Operation ShadowHammer", "aliases": [], "source_name": "MISPGALAXY:Operation ShadowHammer", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434170, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5649069a74bf22614de960ea09d194771721e989.pdf", "text": "https://archive.orkl.eu/5649069a74bf22614de960ea09d194771721e989.txt", "img": "https://archive.orkl.eu/5649069a74bf22614de960ea09d194771721e989.jpg" } }