ASUS Shipped Signed Malware to Over 1 Million Users — A Supply-Chain Nightmare Returns in 2025
ASUS has officially been linked to one of the most severe supply-chain attacks ever recorded — and it’s back in the spotlight seven years later.
CISA has added CVE-2025-59374 to its Known Exploited Vulnerabilities (KEV) catalog this week, confirming that the attack is actively exploited and still relevant today.
The vulnerability carries a CVSS score of 9.8 (Critical) according to NVD, with ASUS reporting CVSS 9.3 under the newer CVSS 4.0 standard. Either way, the impact is catastrophic.
CVE-2025-59374 at a Glance
- CVE: CVE-2025-59374
- CVSS v3.1 (NVD): 9.8 — Critical
- CVSS v4.0 (ASUS): 9.3 — Critical
- Attack Vector: Network
- Privileges Required: None
- User Interaction: None
- Impact: Full compromise (Confidentiality, Integrity, Availability)
What Happened?
Between June and November 2018, attackers compromised ASUS Live Update servers — the official mechanism used to deliver BIOS, firmware, and driver updates to ASUS laptops worldwide.
The attackers injected a backdoored update, which was:
- Hosted on official ASUS servers
- Digitally signed with legitimate ASUS certificates
- Trusted by Windows, antivirus software, and endpoint security tools
As a result, over 1 million users unknowingly downloaded malware, believing it was a routine system update.
The Malware Was Selective — and Silent
This was not a mass infection campaign.
The malware contained a hard-coded hit list of approximately 600 MAC addresses (roughly 0.06% of infected systems).
- If a system’s MAC address was not on the list, the malware remained completely dormant
- If it matched, attackers gained full backdoor access
Even today, the reason behind the exact target selection remains unknown.
Notably:
- Some targets were software engineers using VMware
- One MAC address belonged to a Huawei USB modem shared by thousands of users
- The hit list clearly existed before the compromise
This indicates prior reconnaissance and a highly targeted espionage operation.
Attribution: APT41 / BARIUM / Winnti
Kaspersky discovered the campaign in January 2019 and named it Operation ShadowHammer.
Based on code similarities and infrastructure overlap, the attack was attributed to APT41, also known as BARIUM or Winnti — a group notorious for combining:
- State-sponsored cyber-espionage
- Financially motivated cybercrime
- Advanced supply-chain compromise techniques
ASUS Response (Then and Now)
ASUS released a patched version of Live Update (v3.6.8) in early 2019 and stated:
“A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group.”
Fast-forward to December 4, 2025 — ASUS officially ended support for Live Update entirely.
However, millions of systems still have it installed.
Why Is This Relevant Again in 2025?
CISA has confirmed active exploitation tied to this vulnerability, prompting its inclusion in the Known Exploited Vulnerabilities catalog.
- Federal remediation deadline: January 7, 2026
- Recommendation: Stop using ASUS Live Update entirely
This confirms that legacy supply-chain implants are still being abused, even years later.
How to Check If You’re Affected
- Press Windows + R
- Type
appwiz.cpl - Look for ASUS Live Update
- Uninstall it immediately
If you need firmware or driver updates:
- Download them manually from the official ASUS support website
- Avoid automated update tools whenever possible
Why Supply-Chain Attacks Are So Dangerous
This attack bypassed every traditional security control:
- Antivirus trusted the file
- Windows trusted the certificate
- Users followed best practices
- Updates came from an official vendor
When attackers compromise the source, trust itself becomes the weapon.
No endpoint protection can save you when malware is signed by the company you trust.
Final Thoughts
CVE-2025-59374 is not just a historical incident — it’s a reminder that:
- Supply-chain attacks have long-term consequences
- Old compromises can resurface years later
- Trust must always be continuously verified
Security isn’t just about patching vulnerabilities — it’s about understanding how attackers think, who they target, and where trust can be abused.
Credit
Research & original writing: Jolanda de Koff
