Summary
In September 2017, Cisco Talos revealed that CCleaner, a hugely popular Windows cleanup tool from Piriform (newly acquired by Avast), had been shipping a backdoor. Attackers had compromised Piriform's build environment and inserted malicious code into the official, validly code-signed installer, so version 5.33 distributed through Piriform's own channels carried the malware to about 2.27 million users for roughly a month before anyone noticed. The first stage merely profiled machines, but it was a sniper rather than a shotgun: from the millions of installs it served a second stage to only a few dozen selected computers at companies like Google, Microsoft, Cisco, Intel, and Samsung, and a still deeper espionage tool (the ShadowPad backdoor) was later found planted on Piriform's own internal machines. The attack is linked to the China-nexus group tracked as APT17 / Axiom. It is the lesson that a trusted update channel and a valid signature are not the same as trustworthy code, and that build pipelines are prime targets.
How it happened
The attackers did not break CCleaner; they broke the machine that builds it. They first got in through remote-access software (TeamViewer) on a Piriform developer's workstation around March 2017, then reached the build environment and inserted their backdoor into the pipeline itself. So when CCleaner version 5.33 (the 32-bit build) and CCleaner Cloud were compiled and released, the malware was baked in, then signed with Piriform's own valid, Symantec-issued code-signing certificate and pushed out through Piriform's official download servers. To every security check and every user, it looked exactly like a legitimate release, because in every way that a signature can prove, it was one. About 2.27 million people installed it between mid-August and mid-September (the attackers' command server logged around 700,000 of them).
But those millions were not the target; they were the funnel. The first-stage code only collected basic fingerprints of each machine (its name, installed software, and network address) and phoned home. From those fingerprints the operators hand-picked a small set of machines (Talos confirmed at least 20 were served a second stage) at major technology firms (Google, Microsoft, Cisco, Intel, Samsung, Sony, VMware, HTC, Akamai, D-Link, and others), and delivered a second-stage downloader (GeeSetup) that installed further trojanised, partly fileless backdoors. A deeper, third-stage tool, the ShadowPad backdoor, the calling card of a Chinese state-linked group, was separately discovered on four of Piriform's own internal machines, complete with an active keylogger. The attribution to APT17 / Axiom rested on code overlaps and was suggestive rather than definitive. It was a supply-chain attack run as precision espionage: poison a consumer utility used by millions, then reach into a few dozen specific corporations.
The damage
For most of the 2.27 million users, the practical harm was limited to the profiling stage. The real damage was the targeted intrusion into a curated list of technology companies, the kind of access that fuels long-term espionage and further supply-chain compromise. The lasting significance is the proof of concept: a nation-state had used a trusted vendor's build pipeline as a delivery mechanism, and a valid digital signature had certified malware as safe. Three years later the same playbook returned at far greater scale in the SolarWinds compromise.
Why CCleaner still matters
CCleaner is an early, clean example of the attack that now defines supply-chain security: compromise the build, not the product. Every assumption it broke is one defenders still lean on. A signature proves where code came from, not that it is safe. An official download channel is only as trustworthy as the pipeline behind it. And the sniper pattern, mass distribution as a funnel to a tiny, targeted payload, is now standard tradecraft. The defences are to treat the build and CI environment as top-tier infrastructure (least privilege, MFA, isolation), protect signing keys in hardware, demand reproducible and verified builds with provenance and an SBOM so what ships matches what was built, and monitor the integrity of build hosts and release artifacts, not just the source code.
How to fix it
- Pull the trojanized version, ship a clean rebuild from a known-good pipeline, and tell users to update.
- Rebuild build servers from trusted media and rotate code-signing keys and all CI/CD credentials.
- Hunt downstream for the second-stage payload and persistence, especially among high-value targets.
- Review everything that touched the build system between compromise and discovery to scope the blast radius.
How to avoid it
- Harden and isolate the build and CI environment as a top-tier asset: least privilege, MFA, and tight network controls.
- Protect signing keys in HSMs, and require reproducible, verified builds so injected code is detectable.
- Generate and verify artifact provenance and SBOMs so what ships matches what was built from source.
- Monitor the integrity of build hosts and release artifacts, not just the source repository.
- Remember that a valid signature proves origin, not safety; downstream defenders should still watch update behavior.
References
- https://blog.talosintelligence.com/avast-distributes-malware/
- https://blog.talosintelligence.com/ccleaner-c2-concern/
- https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities
- https://thehackernews.com/2018/04/ccleaner-malware-attack.html
Related vulnerabilities
All Supply chain →- CRITICALNPM-QIX-CHALK-DEBUG-2025
On 8 September 2025, the largest npm supply-chain attack ever by sheer reach hit foundational packages, chalk, debug, ansi-styles, strip-ansi, and 14 more, that together are downloaded over 2 billion times a week. The cause was a single phishing email. A respected maintainer was tricked by a fake "your npm 2FA is expiring" message into handing over his account, and the attackers published poisoned versions of his ultra-popular libraries. The payload was a crypto clipper: browser code that silently swapped any cryptocurrency address a user was sending to with the attacker's. Automated scanners flagged the poisoned versions within minutes and they were pulled within about two hours, and the actual theft came to roughly a thousand dollars, the one piece of good news in an attack that sat, briefly, under nearly the entire JavaScript ecosystem.
- CRITICALSC-KASEYA-VSA-2021
On 2 July 2021, the Friday before the US holiday weekend, the REvil ransomware gang exploited a chain of zero-day flaws in Kaseya VSA, starting with CVE-2021-30116 (an unauthenticated credential leak), in a remote-monitoring-and-management tool used by managed service providers. By abusing VSA's trusted software-deployment mechanism, REvil pushed its encryptor through roughly 50 to 60 MSPs down to about 1,500 of their downstream business customers in one cascading supply-chain hit, including Sweden's Coop grocery chain, which closed about 800 stores. REvil demanded $70 million for a universal decryptor; a decryptor key was ultimately obtained and distributed without payment. It is the lesson that the management tools with the most reach are the highest-value targets and need the strongest controls.
- CRITICALCVE-2019-15107
Disclosed in August 2019, CVE-2019-15107 was an unauthenticated remote code execution backdoor in Webmin, a widely deployed web-based system administration tool that runs with root privileges. The backdoor existed in the password_change.cgi feature: a Perl qx() statement passed the unsanitized old (and in some versions expired) parameter from the password-change request straight to a shell, letting an unauthenticated attacker run arbitrary commands as root, with version 1.890 exploitable in its default configuration and 1.900 through 1.920 exploitable when password expiry was enabled. Critically, the malicious code was never present in Webmin's GitHub source, which remained clean; it was inserted directly into the build infrastructure that produced the official SourceForge release packages, so users who installed signed official builds were backdoored while anyone auditing the public Git source saw nothing wrong. Webmin later confirmed the code was added on its build server on two separate occasions, in April 2018 producing the 1.890 release and again in July 2018 reintroducing it into 1.900 through 1.920, meaning backdoored builds were distributed for over a year. The project released 1.930 on August 17, 2019 to remove the backdoor.
- CRITICALNPM-SHAI-HULUD-2-2025
Shai-Hulud is the nightmare the npm ecosystem had long feared: a self-replicating worm. First seen in September 2025 and back in a more aggressive wave around 21-24 November 2025 ("The Second Coming"), it does not just poison one package and wait. When its malware runs in a developer's environment, it harvests every secret it can find, npm tokens, GitHub tokens, cloud keys, then uses those stolen npm tokens to automatically publish itself into other packages the victim maintains, spreading from maintainer to maintainer on its own. The second wave hit more than 25,000 GitHub repositories across roughly 500 compromised accounts, leaked the stolen secrets into public repos, and, if it failed to steal credentials, tried to wipe the victim's home directory. It is the moment supply-chain malware learned to propagate like a biological infection.
- CRITICALGHSA-6m4g-vm7c-f8w6
Shai-Hulud, in September 2025, was the moment the npm ecosystem's worst fear came true: a worm that spreads by itself. It began with a wave of compromised packages, the most prominent being @ctrl/tinycolor (over two million weekly downloads), and from there it did something no npm attack had done before. When its malware ran on a developer's machine, it hunted for every credential it could find, then used the developer's own npm token to republish itself into all of their other packages automatically, with no attacker involvement, jumping from maintainer to maintainer like an infection. More than 500 packages were compromised, including some from CrowdStrike. It is the first true npm worm, and the template for the even more aggressive Shai-Hulud 2.0 that followed weeks later.
- CRITICALGHSA-CXM3-WV7P-598C
On August 26, 2025, attackers exploited a vulnerable GitHub Actions workflow (added Aug 21) susceptible to code injection via a crafted pull-request title to steal Nx's npm publishing token, then published malicious versions of nx (21.5.0, 20.9.0 and others) and several @nx plugins. The malware scanned the filesystem, collected credentials, npm/GitHub tokens, SSH keys and cryptocurrency wallets, and posted them to public GitHub repositories under victim accounts. Dubbed 's1ngularity', it was the first known supply chain attack to weaponize installed AI CLI tools (Claude, Gemini, q) for reconnaissance. The packages were live for about four hours and thousands of secrets were leaked.