• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Stellantis probes data breach linked to third-party provider

 | 

FBI alerts public to spoofed IC3 site used in fraud schemes

 | 

EU agency ENISA says ransomware attack behind airport disruptions

 | 

Researchers expose MalTerminal, an LLM-enabled malware pioneer

 | 

Beware: GitHub repos distributing Atomic Infostealer on macOS

 | 

ESET uncovers Gamaredon–Turla collaboration in Ukraine cyberattacks

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 63

 | 

Security Affairs newsletter Round 542 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

A cyberattack on Collins Aerospace disrupted operations at major European airports

 | 

Fortra addressed a maximum severity flaw in GoAnywhere MFT software

 | 

UK police arrested two teen Scattered Spider members linked to the 2024 attack on Transport for London

 | 

ShadowLeak: Radware Uncovers Zero-Click Attack on ChatGPT

 | 

SonicWall warns customers to reset credentials after MySonicWall backups were exposed

 | 

CVE-2025-10585 is the sixth actively exploited Chrome zero-day patched by Google in 2025

 | 

Jaguar Land Rover will extend its production halt into a third week following a cyberattack

 | 

China-linked APT41 targets government, think tanks, and academics tied to US-China trade and policy

 | 

Microsoft and Cloudflare teamed up to dismantle the RaccoonO365 phishing service

 | 

DoJ resentenced former BreachForums admin to three years in prison

 | 

Apple backports fix for actively exploited CVE-2025-43300

 | 

New supply chain attack hits npm registry, compromising 40+ packages

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Breaking News
  • Hacking
  • Kaspersky speculates the involvement of ShadowPad attackers in Operation ShadowHammer

Kaspersky speculates the involvement of ShadowPad attackers in Operation ShadowHammer

Pierluigi Paganini April 24, 2019

Experts at Kaspersky Lab linked the recent supply-chain attack targeted ASUS users to the “ShadowPad” threat actor and the CCleaner incident.

Security researchers at Kaspersky Lab linked the recent supply-chain attack that hit ASUS users (tracked as Operation ShadowHammer) to the “ShadowPad” threat actor. Experts also linked the incident to the supply chain attack that targeted CCleaner in September 2018. The Operation ShadowHammer was dcampaign was uncovered by experts from Kaspersky Lab and took place between June and November 2018, but experts discovered it in January 2019. iscovered in January 2019, attackers used a Trojanized version of the ASUS Live Update utility to install a backdoor on specific devices, selected based on their MAC addresses. ASUS has since released software updates to address the issue. 

According to Kaspersky, threat actors tampered with a legitimate binary that was initially compiled in 2015 and that was digitally signed to avoid detection.

The malicious code injected in the binaries allows to fetch and install a backdoor used in the attack to control the compromised systems.

“It is important to note that any, even tiny, tampering with executables in such a case normally breaks the digital signature. However, in this case, the digital signature was intact: valid and verifiable. We quickly realized that we were dealing with a case of a compromised digital signature.” reads the analysis published by Kaspersky.

“We believe this to be the result of a sophisticated supply chain attack, which matches or even surpasses the ShadowPad and the CCleaner incidents in complexity and techniques. The reason that it stayed undetected for so long is partly the fact that the trojanized software was signed with legitimate certificates (e.g. “ASUSTeK Computer Inc.”).”

The supply chain attack was very sophisticated and very targeted, the backdoor was designed to be installed on only 600 select devices, identified through their MAC address.

Some of the MAC addresses targeted by the hackers were rather popular, such as i.e. 00-50-56-C0-00-08 that belongs to the VMWare virtual adapter VMNet8 and is shared by all users of a certain version of the VMware software for Windows.

Another MAC address used in the attack was 0C-5B-8F-27-9A-64, which belongs to the MAC address of a virtual Ethernet adapter designed by Huawei for the USB 3G modem, model E3372h.

During their investigation, experts found other digitally signed binaries from three other vendors in Asia. The binaries are signed with different certificates and a unique chain of trust, but experts pointed out that the way the binaries were trojanized was the same in the three cases.

“The malicious code was not inserted as a resource, neither did it overwrite the unused zero-filled space inside the programs. Instead, it seems to have been neatly compiled into the program, and in most cases, it starts at the beginning of the code section as if it had been added even before the legitimate code.” continues the analysis. “Even the data with the encrypted payload is stored inside this code section. This indicates that the attackers either had access to the source code of the victim’s projects or injected malware on the premises of the breached companies at the time of project compilation.”

ASUS ShadowPad

Experts found many similarities between non-ASUS-related cases and the ASUS supply chain attack, such as the algorithm used to calculate API function hashes, and the use of IPHLPAPI.dll from within a shellcode embedded into a PE file.

The investigators also found a connection between the ASUS attack to the ShadowPad backdoor that was first detected in 2017 and that was attributed to the Axiom group (also known as APT17 or DeputyDog).

The most popular campaign attributed to the APT17 group is the attack on the Google’s infrastructure, also known as Operation Aurora. For almost a decade the APT17 targeted government organizations in several Southeast Asian countries and the US, NGOs, defense contractors, law firms, IT firms, and mining companies.

According to malware experts at Intezer the code used in the CCleaner attack has many similarities with the code used by the Axiom group.

Experts at Kaspersky noticed that the malicious code used in the Operation ShadowHammer have reused algorithms from multiple malware samples, including many of PlugX RAT, a backdoor used by many Chinese-speaking hacker groups.

“ShadowPad, a powerful threat actor, previously concentrated on hitting one company at a time. Current research revealed at least four companies compromised in a similar manner, with three more suspected to have been breached by the same attacker.” Kaspersky concludes. 

“How many more companies are compromised out there is not known. What is known is that ShadowPad succeeded in backdooring developer tools and, one way or another, injected malicious code into digitally signed binaries, subverting trust in this powerful defense mechanism,”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Asus Supply Chain attack, ShadowPad )

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

ASUS backdoor Hacking operation shadowhammer Pierluigi Paganini Security Affairs ShadowPad backdoor supply chain attack

you might also like

Pierluigi Paganini September 22, 2025
Stellantis probes data breach linked to third-party provider
Read more
Pierluigi Paganini September 22, 2025
FBI alerts public to spoofed IC3 site used in fraud schemes
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Stellantis probes data breach linked to third-party provider

    Data Breach / September 22, 2025

    FBI alerts public to spoofed IC3 site used in fraud schemes

    Cyber Crime / September 22, 2025

    EU agency ENISA says ransomware attack behind airport disruptions

    Security / September 22, 2025

    Researchers expose MalTerminal, an LLM-enabled malware pioneer

    Malware / September 22, 2025

    Beware: GitHub repos distributing Atomic Infostealer on macOS

    Malware / September 22, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT