Between June 2018 and November 2018 (disclosed March 2019), attackers compromised ASUS’s software build and signing infrastructure to inject a backdoor into the ASUS Live Update Utility — a tool pre-installed on most ASUS laptops and desktops to automatically push firmware, BIOS, driver, and application updates. The trojanized version was signed with legitimate ASUS digital certificates, making it indistinguishable from genuine software. Approximately 1 million devices received the malicious update via ASUS’s official servers. However, the backdoor contained a hardcoded list of approximately 600 specific MAC addresses that were the true targets — when the malware found a matching MAC address, it downloaded and executed a second-stage payload. The narrow targeting on specific machines within a massive distribution indicated a precision espionage operation. Kaspersky Lab discovered the attack (code-named OPERATION ShadowHammer) and disclosed it on 25 March 2019 after notifying ASUS in January 2019. Kaspersky published a MAC address checker to allow affected users to determine if their device was a targeted machine. ASUS released a patched version of Live Update (3.6.8) and a diagnostic tool. The attack was attributed to BARIUM, a threat actor associated with Lazarus Group based on code similarities to earlier ShadowPad and CCleaner supply chain attacks. ASUS was criticised for its delayed public response and for not proactively notifying customers. The operation demonstrated that highly targeted APT espionage campaigns could use mass-scale software distribution as a delivery mechanism while only activating on specific targets.