{
	"id": "3c108bc8-bcaa-48dc-abd8-a34b386d92e7",
	"created_at": "2026-04-06T00:19:23.281281Z",
	"updated_at": "2026-04-10T13:12:48.115736Z",
	"deleted_at": null,
	"sha1_hash": "ea7afce96d280ff1874949a68846fe33b40d2cbd",
	"title": "Operation ShadowHammer: new supply chain attack threatens hundreds of thousands of users worldwide",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56094,
	"plain_text": "Operation ShadowHammer: new supply chain attack threatens\r\nhundreds of thousands of users worldwide\r\nBy Kaspersky\r\nPublished: 2019-03-25 · Archived: 2026-04-02 12:15:21 UTC\r\nKaspersky Lab has uncovered a new advanced persistent threat (APT) campaign that has affected a large\r\nnumber of users through what is known as a supply chain attack. Our research found that threat actors\r\nbehind Operation ShadowHammer have targeted users of the ASUS Live Update Utility, by injecting a\r\nbackdoor into it at least between June and November 2018. Kaspersky Lab experts estimate that the attack\r\nmay have affected more than a million users worldwide.\r\nA supply chain attack is one of the most dangerous and effective infection vectors, increasingly exploited in\r\nadvanced operations over the last few years – as we have seen with ShadowPad or CCleaner. It targets specific\r\nweaknesses in the interconnected systems of human, organizational, material, and intellectual resources involved\r\nin the product life cycle: from initial development stage through to the end user. While a vendor’s infrastructure\r\ncan be secure, there could be vulnerabilities in its providers’ facilities that would sabotage the supply chain,\r\nleading to a devastating and unexpected data breach.\r\nThe actors behind ShadowHammer targeted the ASUS Live Update Utility as the initial source of infection. This\r\nis a pre-installed utility in most new ASUS computers, for automatic BIOS, UEFI, drivers and applications\r\nupdates. Using stolen digital certificates used by ASUS to sign legitimate binaries, the attackers have tampered\r\nolder versions of ASUS software, injecting their own malicious code. Trojanized versions of the utility were\r\nsigned with legitimate certificates and were hosted on and distributed from official ASUS update servers – which\r\nmade them mostly invisible to the vast majority of protection solutions.\r\nWhile this means that potentially every user of the affected software could have become a victim, actors behind\r\nShadowHammer were focused on gaining access to several hundreds of users, which they had prior knowledge\r\nabout. As Kaspersky Lab’s researchers discovered, each backdoor code contained a table of hardcoded MAC\r\naddresses – the unique identifier of network adapters used to connect a computer to a network. Once running on a\r\nvictim’s device, the backdoor verified its MAC address against this table. If the MAC address matched one of the\r\nentries, the malware downloaded the next stage of malicious code. Otherwise, the infiltrated updater did not show\r\nany network activity, which is why it remained undiscovered for such a long time. In total, security experts were\r\nable to identify more than 600 MAC addresses. These were targeted by over 230 unique backdoored samples with\r\ndifferent shellcodes.\r\nThe modular approach and extra precautions taken when executing code, to prevent accidental code or data\r\nleakage indicates that it was very important for the actors behind this sophisticated attack to remain undetected,\r\nwhile hitting some very specific targets with surgical precision. Deep technical analysis shows that the arsenal of\r\nthe attackers is very advanced and reflects a very high level of development within the group.\r\nhttps://www.kaspersky.com/about/press-releases/2019_operation-shadowhammer-new-supply-chain-attack\r\nPage 1 of 3\n\nThe search for similar malware has revealed software from three other vendors in Asia, all backdoored with very\r\nsimilar methods and techniques. Kaspersky Lab has reported the issue to Asus and other vendors.\r\n“The selected vendors are extremely attractive targets for APT groups that might want to take advantage of their\r\nvast customer base. It is not yet very clear what the ultimate goal of the attackers was and we are still researching\r\nwho was behind the attack. However, techniques used to achieve unauthorized code execution, as well as other\r\ndiscovered artefacts suggest that ShadowHammer is probably related to the BARIUM APT, which was previously\r\nlinked to the ShadowPad and CCleaner incidents, among others. This new campaign is yet another example of\r\nhow sophisticated and dangerous a smart supply chain attack can be nowadays,” said Vitaly Kamluk, Director of\r\nGlobal Research and Analysis Team, APAC, at Kaspersky Lab.\r\nAll Kaspersky Lab products successfully detect and block the malware used in Operation ShadowHammer.\r\nIn order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky Lab\r\nresearchers recommend implementing the following measures:\r\nIn addition to adopting must-have endpoint protection, implement a corporate grade security solution\r\nwhich detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted\r\nAttack Platform;\r\nFor endpoint level detection, investigation and timely remediation of incidents, we recommend\r\nimplementing EDR solutions such as Kaspersky Endpoint Detection and Response or contacting a\r\nprofessional incident response team;\r\nIntegrate Threat Intelligence feeds into your SIEM and other security controls in order to get access to the\r\nmost relevant and up-to-date threat data and prepare for future attacks.\r\nKaspersky Lab will present full findings on Operation ShadowHammer at Security Analyst Summit 2019, in\r\nSingapore, 9-11 April.\r\nA full report on the ShadowHammer campaign is already available to customers of Kaspersky Intelligence\r\nReporting Service.\r\nA blog summarizing the attack as well as a special tool designed to validate whether users’ devices were a target\r\ncan also be found on Securelist. The validation is also available on a separate website.\r\nAbout Kaspersky Lab\r\nKaspersky Lab is a global cybersecurity company, which has been operating in the market for over 21 years.\r\nKaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation\r\nsecurity solutions and services to protect businesses, critical infrastructure, governments and consumers around\r\nthe globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of\r\nspecialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million\r\nusers are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters\r\nmost to them.\r\nhttps://www.kaspersky.com/about/press-releases/2019_operation-shadowhammer-new-supply-chain-attack\r\nPage 2 of 3\n\nSource: https://www.kaspersky.com/about/press-releases/2019_operation-shadowhammer-new-supply-chain-attack\r\nhttps://www.kaspersky.com/about/press-releases/2019_operation-shadowhammer-new-supply-chain-attack\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.kaspersky.com/about/press-releases/2019_operation-shadowhammer-new-supply-chain-attack"
	],
	"report_names": [
		"2019_operation-shadowhammer-new-supply-chain-attack"
	],
	"threat_actors": [
		{
			"id": "1c97ccfd-1888-492c-b7b9-bb52c4c3809b",
			"created_at": "2023-01-06T13:46:38.940529Z",
			"updated_at": "2026-04-10T02:00:03.152806Z",
			"deleted_at": null,
			"main_name": "Operation ShadowHammer",
			"aliases": [],
			"source_name": "MISPGALAXY:Operation ShadowHammer",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "49822165-5541-423d-8808-1c0a9448d588",
			"created_at": "2022-10-25T16:07:23.384093Z",
			"updated_at": "2026-04-10T02:00:04.575678Z",
			"deleted_at": null,
			"main_name": "Barium",
			"aliases": [
				"Brass Typhoon",
				"Pigfish",
				"Starchy Taurus"
			],
			"source_name": "ETDA:Barium",
			"tools": [
				"Agent.dhwf",
				"Agentemis",
				"Barlaiy",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Destroy RAT",
				"DestroyRAT",
				"Kaba",
				"Korplug",
				"POISONPLUG",
				"PlugX",
				"RbDoor",
				"RedDelta",
				"RibDoor",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Winnti",
				"Xamtrav",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c7d9878a-e691-4c6f-81ae-84fb115a1345",
			"created_at": "2022-10-25T16:07:23.359506Z",
			"updated_at": "2026-04-10T02:00:04.556639Z",
			"deleted_at": null,
			"main_name": "APT 41",
			"aliases": [
				"BrazenBamboo",
				"Bronze Atlas",
				"Double Dragon",
				"Earth Baku",
				"G0096",
				"Grayfly",
				"Operation ColunmTK",
				"Operation CuckooBees",
				"Operation ShadowHammer",
				"Red Kelpie",
				"SparklingGoblin",
				"TA415",
				"TG-2633"
			],
			"source_name": "ETDA:APT 41",
			"tools": [
				"9002 RAT",
				"ADORE.XSEC",
				"ASPXSpy",
				"ASPXTool",
				"AceHash",
				"Agent.dhwf",
				"Agentemis",
				"AndroidControl",
				"AngryRebel",
				"AntSword",
				"BLUEBEAM",
				"Barlaiy",
				"BlackCoffee",
				"Bladabindi",
				"BleDoor",
				"CCleaner Backdoor",
				"CHINACHOPPER",
				"COLDJAVA",
				"China Chopper",
				"ChyNode",
				"Cobalt Strike",
				"CobaltStrike",
				"Crackshot",
				"CrossWalk",
				"CurveLast",
				"CurveLoad",
				"DAYJOB",
				"DBoxAgent",
				"DEADEYE",
				"DEADEYE.APPEND",
				"DEADEYE.EMBED",
				"DEPLOYLOG",
				"DIRTCLEANER",
				"DUSTTRAP",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"DodgeBox",
				"DragonEgg",
				"ELFSHELF",
				"EasyNight",
				"Farfli",
				"FunnySwitch",
				"Gh0st RAT",
				"Ghost RAT",
				"HDD Rootkit",
				"HDRoot",
				"HKDOOR",
				"HOMEUNIX",
				"HUI Loader",
				"HidraQ",
				"HighNoon",
				"HighNote",
				"Homux",
				"Hydraq",
				"Jorik",
				"Jumpall",
				"KEYPLUG",
				"Kaba",
				"Korplug",
				"LATELUNCH",
				"LOLBAS",
				"LOLBins",
				"LightSpy",
				"Living off the Land",
				"Lowkey",
				"McRAT",
				"MdmBot",
				"MessageTap",
				"Meterpreter",
				"Mimikatz",
				"MoonBounce",
				"MoonWalk",
				"Motnug",
				"Moudour",
				"Mydoor",
				"NTDSDump",
				"PACMAN",
				"PCRat",
				"PINEGROVE",
				"PNGRAT",
				"POISONPLUG",
				"POISONPLUG.SHADOW",
				"POTROAST",
				"PRIVATELOG",
				"PipeMon",
				"PlugX",
				"PortReuse",
				"ProxIP",
				"ROCKBOOT",
				"RbDoor",
				"RedDelta",
				"RedXOR",
				"RibDoor",
				"Roarur",
				"RouterGod",
				"SAGEHIRE",
				"SPARKLOG",
				"SQLULDR2",
				"STASHLOG",
				"SWEETCANDLE",
				"ScrambleCross",
				"Sensocode",
				"SerialVlogger",
				"ShadowHammer",
				"ShadowPad Winnti",
				"SinoChopper",
				"Skip-2.0",
				"SneakCross",
				"Sogu",
				"Speculoos",
				"Spyder",
				"StealthReacher",
				"StealthVector",
				"TERA",
				"TIDYELF",
				"TIGERPLUG",
				"TOMMYGUN",
				"TVT",
				"Thoper",
				"Voldemort",
				"WIDETONE",
				"WINNKIT",
				"WINTERLOVE",
				"Winnti",
				"WyrmSpy",
				"X-Door",
				"XDOOR",
				"XMRig",
				"XShellGhost",
				"Xamtrav",
				"ZXShell",
				"ZoxPNG",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"gresim",
				"njRAT",
				"pwdump",
				"xDll"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e698860d-57e8-4780-b7c3-41e5a8314ec0",
			"created_at": "2022-10-25T15:50:23.287929Z",
			"updated_at": "2026-04-10T02:00:05.329769Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"APT41",
				"Wicked Panda",
				"Brass Typhoon",
				"BARIUM"
			],
			"source_name": "MITRE:APT41",
			"tools": [
				"ASPXSpy",
				"BITSAdmin",
				"PlugX",
				"Impacket",
				"gh0st RAT",
				"netstat",
				"PowerSploit",
				"ZxShell",
				"KEYPLUG",
				"LightSpy",
				"ipconfig",
				"sqlmap",
				"China Chopper",
				"ShadowPad",
				"MESSAGETAP",
				"Mimikatz",
				"certutil",
				"njRAT",
				"Cobalt Strike",
				"pwdump",
				"BLACKCOFFEE",
				"MOPSLED",
				"ROCKBOOT",
				"dsquery",
				"Winnti for Linux",
				"DUSTTRAP",
				"Derusbi",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434763,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ea7afce96d280ff1874949a68846fe33b40d2cbd.pdf",
		"text": "https://archive.orkl.eu/ea7afce96d280ff1874949a68846fe33b40d2cbd.txt",
		"img": "https://archive.orkl.eu/ea7afce96d280ff1874949a68846fe33b40d2cbd.jpg"
	}
}