Cyber Incident Victim: ASUSTeK Computer Inc.

In mid-2018, attackers compromised ASUS's live software update infrastructure, leading to the distribution of malicious backdoors through the company's trusted update mechanism. Between June and November 2018, approximately 500,000 Windows machines received trojanized updates signed with legitimate ASUS digital certificates, making the malicious files appear authentic. The attackers injected malicious code into a legitimate three-year-old ASUS update binary (setup.exe) from 2015 and pushed it through ASUS's Live Update servers. This compromised file purported to be an update for the update tool itself. Researchers at Kaspersky Lab discovered the campaign, dubbed ShadowHammer, in January 2019 after implementing new supply-chain detection technology that identified anomalous code fragments. The malware specifically targeted approximately 600 systems by checking infected machines' MAC addresses against a pre-configured list of hashed values embedded within the malicious files. When a match occurred, the malware contacted the command-and-control domain asushotfix.com to download a second-stage backdoor. The attackers maintained persistence by switching between two valid ASUS digital certificates when the first expired in mid-2018. Kaspersky first detected the malware on a customer's machine on January 29, 2019, and subsequent scans revealed over 57,000 infected devices among their user base, with global infections confirmed by Symantec across at least 13,000 additional systems.

The attack's surgical targeting of specific MAC addresses allowed it to remain undetected for five months, as non-targeted systems showed no malicious behavior. Kaspersky researchers reverse-engineered most of the 600 hashed MAC addresses but could not identify the ultimate targets. The command-and-control server operated from May to November 2018 before being shut down, preventing analysis of the second-stage payload. Kaspersky notified ASUS of the compromise on January 31, 2019, and held an in-person meeting on February 14, but ASUS reportedly denied server compromise and failed to notify customers or revoke the two compromised certificates for several months. Forensic evidence indicated the attackers likely had limited access to ASUS's signing infrastructure rather than full build-system control, as they reused old binaries while legitimate updates continued using a separate enhanced-validation certificate. The incident followed prior ASUS security failures, including a 2016 FTC settlement over router vulnerabilities. Researchers linked the attack to the ShadowPad group through infrastructure and targeting similarities, noting ASUS had been a primary target in the 2017 CCleaner supply-chain attack, suggesting possible initial network access through that earlier compromise. Early warnings occurred in June 2018 when users reported suspicious update alerts on Reddit, but the files' valid ASUS signatures and clean VirusTotal scans led many to install them.