When Trusted Software Becomes Your Biggest Threat

In March 2022, researchers confirmed that threat actors had compromised the update mechanism for Asus software, ultimately pushing malware to nearly a million machines. The attackers hadn't built anything from scratch. They had removed legitimate code from a trusted update pipeline and replaced it with a weaponized version. Users never questioned it because the software looked exactly the same.

This pattern — where attackers have removed legitimate tools, libraries, or executables and substituted malicious replacements — is accelerating. It's not theoretical. It's happening to software your organization uses right now.

In this post, I'm breaking down exactly how this attack vector works, why it's so effective, and what practical steps you can take today to protect your environment. If you rely on third-party software (and you do), this matters.

What "Removed Legitimate" Actually Means in an Attack

The Core Technique

The phrase "removed legitimate" describes a specific stage in a supply chain or living-off-the-land attack. A threat actor gains access to a system, repository, or distribution channel. They then remove legitimate binaries, scripts, or libraries and replace them with trojanized versions.

The replacement often has the same file name, same file size (padded if needed), and sometimes even the same digital signature if the attacker has compromised signing keys. The user or automated system fetches what it believes is a trusted update. Instead, it installs malware.

Why This Works So Well

Traditional security tools focus on blocking known-bad files. When an attacker has removed legitimate software and replaced it with something that looks identical, signature-based detection often fails. The malicious file inherits the trust of the original.

I've seen this in incident response engagements where organizations ran compromised versions of internal tools for weeks. No alerts fired because the file names, paths, and even hashes matched approved software lists — the attackers were that precise.

Real-World Incidents Where Attackers Removed Legitimate Code

SolarWinds: The Gold Standard of Supply Chain Compromise

The SolarWinds breach, disclosed in December 2020, remains the most prominent example. Russian-linked threat actors inserted malicious code into the Orion software build process. They effectively removed legitimate DLL components and replaced them with backdoored versions that were then digitally signed and distributed to roughly 18,000 organizations.

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01 in response. The breach hit federal agencies, Fortune 500 companies, and cybersecurity firms. Nobody questioned the update because SolarWinds was a trusted vendor.

Codecov: A Developer Tool Turned Weapon

In early 2021, attackers modified the Codecov Bash Uploader script. They removed legitimate lines of code and inserted a credential-harvesting routine that exfiltrated environment variables — including CI/CD tokens, API keys, and credentials — from every organization that ran the script. The compromise went undetected for two months.

The 3CX Compromise of 2022

In a more recent case that's still unfolding as I write this, reports suggest the 3CX desktop application may have been subject to a supply chain attack where legitimate components were tampered with. This pattern keeps repeating because it keeps working.

The $4.35M Reason You Can't Ignore Supply Chain Threats

According to IBM's 2022 Cost of a Data Breach Report, the average cost of a data breach reached $4.35 million this year. Supply chain compromises tend to run even higher because they affect multiple organizations simultaneously and often involve prolonged dwell times.

The 2022 Verizon Data Breach Investigations Report (DBIR) found that supply chain attacks accounted for a growing percentage of system intrusion incidents. When attackers can remove legitimate software from a trusted pipeline, they bypass perimeter defenses entirely. Your firewall doesn't help when the threat arrives through your own update server.

How Threat Actors Execute the Swap

Step 1: Gain Access to the Supply Chain

Attackers target the weakest link. That might be a developer's compromised credentials (often via phishing or credential theft), an insecure CI/CD pipeline, or a poorly secured package repository. Social engineering plays a massive role here — a single spear-phishing email to a developer with commit access can open the door.

Step 2: Remove Legitimate Components

Once inside, the attacker identifies the target binary, script, or library. They remove the legitimate version and insert their modified copy. In sophisticated attacks, they modify the source code itself so that the malicious version is compiled through the normal build process. This makes detection exponentially harder.

Step 3: Distribute Through Trusted Channels

The trojanized software ships through normal update mechanisms. Auto-update features — designed for security — become the delivery vehicle. Users and IT teams accept the update without scrutiny because it comes from a trusted source.

Step 4: Establish Persistence and Move Laterally

Once installed, the malware typically establishes command-and-control communication, harvests credentials, and begins lateral movement. Ransomware deployment or data exfiltration usually follows.

How Do You Detect When Legitimate Software Has Been Replaced?

This is the question I get most often, and it deserves a direct answer. Here's what actually works:

  • Code signing verification: Verify digital signatures on every update. If a signed binary suddenly has a different certificate or no certificate, quarantine it immediately.
  • Hash comparison: Maintain an internal database of known-good file hashes. Compare every update against this baseline before deployment.
  • Behavioral monitoring: Even if a file looks legitimate, monitor its runtime behavior. A DLL that suddenly makes outbound connections to an unfamiliar IP address is a red flag.
  • Software Bill of Materials (SBOM): Demand SBOMs from your vendors. NIST's guidance under Executive Order 14028 recommends this practice for exactly this reason.
  • Zero trust architecture: Never trust software just because it comes from a known vendor. Verify every component, every time.

Your People Are the First and Last Line of Defense

Security Awareness Is Not Optional

Supply chain attacks frequently start with social engineering. A developer gets phished. An admin reuses a password. Someone approves a code merge without reviewing it. Every one of these failures is a human failure that training can address.

I've worked with organizations that invested heavily in technical controls but spent nothing on security awareness training. They got breached through a phishing email to a junior developer. The attacker used that access to modify an internal tool — removing legitimate code and inserting a backdoor that persisted for months.

If your team doesn't understand how these attacks work, your technical controls won't save you. Enroll your team in cybersecurity awareness training at computersecurity.us to build a baseline of knowledge across your organization.

Phishing Simulation Closes the Gap

Knowing about phishing and recognizing it in real time are completely different skills. Regular phishing simulation exercises train your employees to spot the credential theft attempts that often precede supply chain compromises.

Organizations running monthly simulations see measurable improvement in click rates. Your team needs hands-on practice, not just annual slide decks. Phishing awareness training for organizations at phishing.computersecurity.us provides exactly this kind of practical, scenario-based training.

Seven Steps to Harden Your Software Supply Chain Today

Here's what I recommend to every organization I work with, regardless of size:

  • 1. Audit your software inventory. You can't protect what you don't know about. Catalog every third-party application, library, and plugin in your environment.
  • 2. Implement multi-factor authentication everywhere. Every developer account, every admin panel, every code repository. MFA stops the majority of credential theft attacks that enable supply chain compromise.
  • 3. Require code review for all commits. No single person should be able to push code to production without peer review. This is the control that would have caught many supply chain attacks early.
  • 4. Monitor for unauthorized changes. Use file integrity monitoring on critical binaries and libraries. Alert on any modification outside of approved change windows.
  • 5. Segment your network. If a compromised application does make it into your environment, network segmentation limits lateral movement. Zero trust principles apply here.
  • 6. Vet your vendors. Ask your software providers about their build security practices. Do they use reproducible builds? Do they sign their code? How do they protect their update infrastructure?
  • 7. Train your people relentlessly. Security awareness training isn't a checkbox exercise. It's an ongoing program that reduces the human errors attackers depend on.

The Supply Chain Problem Is Getting Worse

Gartner predicted in 2021 that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains. We're not waiting for 2025 — it's happening now. The FBI's Internet Crime Complaint Center (IC3) has tracked a steady increase in reports involving compromised software and update mechanisms.

The reason is simple economics. Why attack 1,000 companies individually when you can compromise one software vendor and reach all 1,000 at once? When a threat actor has removed legitimate code from a widely-used tool, they've weaponized the trust relationship between vendor and customer.

Trust Nothing, Verify Everything

Every time your system downloads an update, it's making a trust decision. Every time a developer merges code, it's a trust decision. Every time an employee opens an email, it's a trust decision.

When attackers have removed legitimate software and replaced it with something malicious, they're exploiting every one of those trust decisions. Your defense has to operate at the same level — verifying at every stage, training every person, and monitoring every endpoint.

Start with what you can control today. Get your team trained. Run phishing simulations. Audit your software supply chain. The threat actors who have removed legitimate tools and turned them into weapons are counting on you to do nothing. Prove them wrong.