Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory regarding a severe vulnerability in ASUS Live Update, following confirmation of active exploitation in the wild. This vulnerability, cataloged as CVE-2019-12999 and associated with the infamous Operation ShadowHammer, represents a sophisticated supply chain attack in which malicious actors compromised the ASUS software update infrastructure. By injecting trojanized code into legitimate ASUS Live Update installers, attackers were able to selectively target devices based on hardcoded MAC addresses, leveraging the trust inherent in digitally signed software. The campaign, attributed to the BARIUM advanced persistent threat (APT) group (also known as APT41 or Winnti), demonstrates the ongoing risk posed by supply chain attacks and the necessity for rigorous third-party risk management. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and strongly urges all organizations to immediately discontinue use of all versions of ASUS Live Update, which is now End-of-Support (EoS).

Threat Actor Profile

The threat actor behind this campaign is widely attributed to the BARIUM APT group, also known as APT41 or Winnti. This group is a Chinese state-sponsored cyber espionage and cybercrime collective known for its advanced capabilities in supply chain compromise, lateral movement, and custom malware development. BARIUM has a history of targeting software vendors to propagate malicious code to downstream customers, as seen in the CCleaner and ShadowPad incidents. The group’s operations are characterized by a dual focus on espionage and financially motivated attacks, often leveraging stolen code-signing certificates and exploiting trusted update mechanisms. Their technical sophistication includes the ability to maintain persistent access, evade detection through legitimate digital signatures, and deploy highly targeted payloads based on unique device identifiers.

Technical Analysis of Malware/TTPs

The ASUS Live Update compromise is a textbook example of a supply chain attack. Attackers gained unauthorized access to ASUS’s update servers and injected malicious code into the official ASUS Live Update Utility installers. These trojanized installers were then signed with legitimate ASUS digital certificates, ensuring that both users and endpoint security solutions would trust the software. The malicious update contained a hardcoded list of over 600 MAC addresses, and only devices matching these addresses would receive a second-stage payload from attacker-controlled command-and-control (C2) infrastructure.

The technical workflow of the attack is as follows: Upon execution, the compromised ASUS Live Update client checks the device’s MAC address against its internal list. If a match is found, the malware initiates a connection to C2 domains such as asushotfix[.]com and asusupdate[.]net, from which it downloads and executes additional malicious payloads. The use of legitimate digital signatures and official update channels allowed the attackers to bypass traditional security controls and maintain a low profile for months. The campaign leveraged MITRE ATT&CK techniques including T1195.002 (Supply Chain Compromise: Compromise Software Supply Chain), T1071 (Application Layer Protocol), and T1105 (Ingress Tool Transfer).

Indicators of compromise (IOCs) include specific SHA256 and MD5 hashes of the trojanized installers, targeted MAC addresses (publicly available via Kaspersky’s GitHub), and network connections to known malicious domains and IP addresses. The malware was detected by Kaspersky as HEUR:Trojan.Win32.ShadowHammer.gen.

Exploitation in the Wild

The initial exploitation phase, known as Operation ShadowHammer, occurred between June and November 2018. During this period, attackers distributed malicious updates to hundreds of thousands of ASUS users worldwide, though only a select group of devices with matching MAC addresses were actively targeted. The attack was first discovered and disclosed by Kaspersky in March 2019, who identified the highly targeted nature of the campaign and the use of legitimate ASUS digital certificates.

CISA confirmed renewed exploitation of the same vulnerability, prompting the addition of ASUS Live Update to the KEV catalog. The resurgence of this threat underscores the persistent risk posed by legacy software and the importance of timely decommissioning of unsupported products. ASUS Live Update reached End-of-Support on December 4, 2025, with the last version being 3.6.15. CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies discontinue use of the software by January 7, 2026.

Victimology and Targeting

The targeting methodology employed in this campaign was highly selective. While the malicious update was distributed to a broad base of ASUS users, only devices with MAC addresses matching the hardcoded list embedded in the malware were subject to further compromise. This approach suggests a focus on high-value individuals or organizations, potentially including government agencies, defense contractors, and other entities of strategic interest. The global distribution of ASUS devices means that victims were located worldwide, with concentrations in regions where ASUS has significant market share. The lack of sector specificity, combined with the precision of targeting, indicates an intelligence-driven operation rather than a broad criminal campaign.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by this vulnerability. All organizations should uninstall ASUS Live Update from all systems, as the product is now End-of-Support and will not receive further security updates. If continued use is unavoidable in the short term, ensure that the software is updated to at least version 3.6.8, though this is not a recommended long-term solution. Security teams should review endpoint and network logs for evidence of execution of known malicious installers, connections to ShadowHammer C2 domains, and the presence of targeted MAC addresses within their environment.

Network defenses should be configured to block known malicious domains and IP addresses associated with the campaign. Organizations should also conduct a comprehensive inventory of all third-party software and update mechanisms in use, prioritizing the removal or replacement of unsupported or high-risk applications. In the event of suspected compromise, a full forensic investigation should be conducted, and affected systems should be reimaged to ensure complete remediation.

The ASUS Live Update incident highlights the critical importance of supply chain security and the need for robust third-party risk management practices. Organizations are encouraged to leverage threat intelligence feeds, maintain an up-to-date asset inventory, and implement strict controls over software installation and update processes.

References

Kaspersky Operation ShadowHammer Report: https://securelist.com/operation-shadowhammer/89992/ Kaspersky ShadowHammer MAC List: https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/ CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog NVD Entry for CVE-2019-12999: https://nvd.nist.gov/vuln/detail/CVE-2019-12999 ASUS Security Advisory / FAQ 1018727: https://www.asus.com/support/faq/1018727/ MITRE ATT&CK T1195.002: https://attack.mitre.org/techniques/T1195/002/ The Hacker News: CISA Flags Critical ASUS Live Update Flaw: https://thehackernews.com/2025/12/cisa-flags-critical-asus-live-update.html

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate risks across their digital supply chain. Our platform empowers security teams to identify vulnerabilities, track remediation efforts, and ensure compliance with industry standards. We are committed to helping our customers stay ahead of emerging threats and maintain a resilient cybersecurity posture.

For further questions or incident response support, please contact us at ops@rescana.com.