Thousands of Asus computers were infected with malware from the company’s own update tool, researchers from Kaspersky Lab said Monday.

The researchers discovered the attack in January, after hackers took over the Asus Live Update Utility to quietly install malware on devices. The hack was first reported by Motherboard.

On Tuesday, Asus said it’s fixed the vulnerability in the another version of its Live Update tool, meaning you’ll have to satisfactory the software to resolve the issue.

“Asus customer service has been inward out to affected users and providing assistance to convicted that the security risks are removed,” the company said in a statement.

The hack, which Kaspersky Lab is calling Operation ShadowHammer, went on between June and November 2018. Kaspersky Lab spurious that it affected more than 57,000 people using its products. The Russia-based cybersecurity company was only able to find those numbers for its own users, and estimates that the malware could affect more than a million Asus owners worldwide. 

Symantec, another cybersecurity company, found the same malware from Asus updates, and cited at least 13,000 computers affected by the contest. The company said that 80 percent of victims were consumers, while 20 percent were organizations.

The update tool is preinstalled on the greatest of new Asus devices.

The attackers were able to infect devices deprived of raising red flags because they used Asus’ legitimate confidence certificate, which was hosted on the computer manufacturer’s servers.

Asus is a Taiwan-based computer commercial, and one of the top consumer notebook vendors in the domain, with millions of laptops worldwide. 

“The selected vendors are very attractive targets for APT [advanced persistent threat] groups that worthy want to take advantage of their vast customer base,” Vitaly Kamluk, director of Kaspersky Lab’s Global Research and Analysis Team, said in a statement.

Malware can arrive on your devices in a lot of ways — downloading a file from an email, opening a PDF you shouldn’t have or via browser-based attacks.

The hack on Asus’ automatic update tool points to novel kind of concern, in which people have to be unnerved about patches from the source itself as hackers seek to expenditure a trusted relationship. Supply chain attacks are not new: In 2017, the popular software tool CCleaner was hijacked to install malware on millions of computers.

Distrust in automatic updates leads to novel kind of threat, as many companies often rely on republic to patch their devices to defend against new malware. The majority of computers infected with the WannaCry ransomware, for instance, were hit because they didn’t install a confidence update issued in 2017.  

While it’s capable of attacking millions, the malware had a specific set of targets, researchers fraudulent. Once it was installed, the backdoor checked the device’s MAC address. If it matched one of the hacker’s targets, it then installed novel set of malware, researchers said.

Kaspersky Lab researchers said they identified more than 600 MAC addresses, and released a tool for people to check whether they were beleaguered by the attack. The cybersecurity company said it’s notified Asus, and the investigation is ongoing.

Originally published March 25 at 7:16 a.m. PT.
Updated March 26 at 6:26 a.m. PT: Includes response from Asus.