ASUS ShadowHammer

In March 2019, Kaspersky disclosed a supply-chain campaign it called Operation ShadowHammer. The attackers had compromised the ASUS Live Update build infrastructure and used it to push a signed, malicious version of the utility — a tool installed by default on most ASUS-branded laptops and desktops — to roughly half a million devices over the second half of 2018.

A list of MAC addresses

Like CCleaner before it, the implant was not interested in most of the machines it reached. The malicious Live Update binary contained a hard-coded list of approximately six hundred MAC addresses. The first thing the implant did on each victim was to check whether any of its network interfaces matched the list. If not, it did nothing.

The matches received a second-stage payload that contacted attacker infrastructure and downloaded additional tooling. Kaspersky was unable to recover the full set of follow-on payloads, but the targeting profile implied a tightly selected list of individuals across a small number of networks. Researchers later linked the operation to the same actor behind the CCleaner campaign, a Chinese-aligned group commonly tracked under the umbrella label BARIUM.

ASUS's response

ASUS initially downplayed the disclosure, then released a clean updater and a self-check tool that allowed users to verify whether their MAC address was among those targeted. The episode prompted closer scrutiny of OEM update mechanisms across the industry — pre-installed updaters, unlike Windows Update, were rarely audited by anyone outside the vendor.

What the chronicle remembers

ShadowHammer was the second high-profile demonstration of the "compromise a vendor, target a few hundred" pattern. Both ASUS and CCleaner showed that a successful build-chain breach gives attackers a giant, mostly-wasted distribution channel; the discipline is in throwing away the millions of impressions to keep the dozens of real targets unnoticed.