ASUSTeK wasn’t ShadowHammer’s only victim. Attackers also targeted at least three gaming companies based in Asia through a similar method, Kaspersky researchers found. Instead of subverting software updates, though, the attackers made a one-line change to their targets’ integrated development environment (IDE), a software program that developers use to write code. The effect was that whenever Microsoft Visual Studio compiled code with a specific Microsoft-owned library, the IDE used a similarly-named library file instead.

Compilers and development platforms are at the core of the software supply chain, said Noushin Shabab, the Kaspersky senior security analyst who reverse-engineered the ShadowHammer malware. One infected compiler on a few developers’ machines can result in thousands of Trojanized software applications installed on millions of end-user computers.

“It’s a poisonous seed. Plant your poisonous seed in a safe place, and it will turn into the poisonous tree with fruit,” Shabab said.

Since the compiler pulls in relevant pieces of code from linked libraries and other components, using the tampered library meant code the developer did not intend to include was added to the application. A source code review won’t find the issue because the problem isn’t anywhere in the original code and the developer doesn’t know about the alternate library.

“When your compiler lies to you, your product always contains a backdoor, no matter what the source code is,” Kamluk said.

Kaspersky researchers found clues suggesting a group called Barium was behind both sets of attacks. Barium is known for a style of attack called “advanced persistent threat” which infects a computer or network and then lays undetected for a period of time. The group was previously linked to 2017’s ShadowPad attack, which compromised an update feature in server management software provided by the Korean firm NetSarang to install a backdoor on associated machines. One of the affected gaming companies in the ShadowHammer attack used NetSarang’s Windows X-server management software, Kamluk said.

Barium is also linked to the CCleaner attack, where hackers modified software updates for the legitimate computer cleanup tool to include the ShadowPad backdoor. With ShadowHammer, Kaspersky researchers believe attackers initially gained access to ASUS servers with CCleaner.

Software updates have been used in other attacks. In 2017’s NotPetya outbreak, the ransomware initially infected machines by masquerading as a software update for an accounting software widely used in the Ukraine.

This latest attack echoes 2015’s XcodeGhost, when thousands of iOS apps created with a tampered version of Apple’s Xcode development environment was found to contain malicious code. Those apps—for instant messaging, banking, maps, stock trading, and games—could be remotely controlled from a command-and-control server. They could also collect device information, and read and write from the iOS clipboard.

This kind of compiler manipulation is not yet widespread because it requires deep knowledge of the tools that developers use, as well as the applications used by victims, Shabab said. However, the ShadowHammer case makes it clear that developers can’t assume their development environments are safe, and have to figure out how to regularly audit their own tools. With ShadowHammer, checking the libraries that a program pulls from would have revealed the malicious file, which was signed with an invalid certificate.

“We see this as the future, where the new targets are the software developers,” Kamluk said.