Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actors

ShadowHammer

ShadowHammer is the name Kaspersky gave to a supply-chain malware operation that abused ASUS’s Live Update infrastructure to distribute a trojanized, digitally signed software update to Windows systems. The malicious update was signed with legitimate ASUS digital certificates, including two compromised ASUS certificates, and was distributed between June and November 2018 through the ASUS Live Update Utility, which was factory-installed on ASUS laptops and other devices. The trojanized file, reported as setup.exe, was based on a legitimate 2015 ASUS update binary that attackers modified and re-signed.

The campaign reportedly reached a very large victim base: Kaspersky estimated roughly 500,000 Windows machines received the malicious update, found more than 57,000 affected among its own customers, and Symantec said at least 13,000 of its customers received it. Despite this scale, the operation was highly selective. The malware contained hashed MAC addresses used to identify intended victims, with researchers assessing that only about 600 systems were actual targets. If a device matched the embedded target list, the malware contacted the attacker-controlled domain asushotfix.com to retrieve a second-stage backdoor; non-targeted victims generally saw little or no follow-on activity.

The operation has been referred to as Operation ShadowHammer and is explicitly described as a supply-chain attack. Reporting in the provided content links it to activity associated with APT41, and the 2020 U.S. Department of Justice indictment of three Chinese nationals allegedly tied to APT41 cited ShadowHammer alongside CCleaner and ShadowPad supply-chain attacks. Kaspersky also linked ShadowHammer to prior ShadowPad- and CCleaner-related activity. High-confidence indicators and artifacts mentioned in the content include the ASUS Live Update vector, malicious setup.exe delivered as an updater update, use of legitimate ASUS signing certificates, embedded hashed MAC address targeting logic, and C2/domain contact to asushotfix.com for second-stage payload retrieval.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
shadowpad

The company plans to release a full technical paper and presentation about the ASUS attack, which it has dubbed ShadowHammer, next month at its Security Analyst Summit in Singapore.

via vicevice.com
APT41

In 2020, the Department of Justice indicted three Chinese nationals believed to be part of APT41 for conducting supply chain attacks [CCleaner, ShadowPad, ShadowHammer], data theft, and breaches against countries worldwide.

via bleeping computerbleepingcomputer.com
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1195Supply Chain CompromiseEvidence1

...indicted three Chinese nationals believed to be part of APT41 for conducting supply chain attacks [CCleaner, ShadowPad, ShadowHammer]...

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
bleeping computerNews
Apr 17, 2023
Hackers abuse Google Command and Control red team tool in attacks

A malware family referenced in connection with APT41 supply chain attacks.

Read more
ca ccsNews
Nov 28, 2022
The cyber threat from supply chains - Canadian Centre for Cyber Security

Supply-chain malware delivered through the ASUS Live Update Utility using compromised digital signatures and hijacked updates; it selectively conducted follow-on activity against specific targets.

Read more
securelistNews
Sep 3, 2020
IT threat evolution Q2 2020

...instrumental in our investigations into the LightSpy, TajMahal, Dtrack, ShadowHammer and ShadowPad campaigns.

Read more
viceNews
Mar 25, 2019
Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers

A supply-chain backdoor delivered through the compromised ASUS Live Update infrastructure. The trojanized, legitimately signed update checked infected systems against hard-coded hashed MAC addresses and, for selected targets, contacted a command-and-control server to download a second-stage backdoor.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.