Skip to content
Back to all chronicles
Nation-State & Cyberwar#supply-chain#ccleaner#targeted

CCleaner Attack: 2.3 Million Hosts, 40 Targets

In 2017 a trojanized CCleaner build reached 2.3 million Windows PCs, but its second stage was delivered to fewer than 40 tech-company targets.

Cyber Chronicle2 min read

In September 2017, Cisco's Talos research team disclosed that signed, official builds of CCleaner — a Windows maintenance utility owned by Avast and downloaded by an estimated two billion people over its lifetime — had been compromised at the source. Versions 5.33.6162 and 1.07.3191 of CCleaner Cloud, distributed through the vendor's normal channels for roughly a month, carried an additional payload that beaconed home to attacker infrastructure.

A funnel, not a flood

Two point three million CCleaner installs received the first-stage implant. The implant did very little. It collected basic identifying information about the host — domain name, MAC address, computer name — and forwarded it to a command-and-control server. The server then chose which subset of installs were interesting enough to receive a second stage.

The intersection turned out to be small and extremely specific. The second-stage payload was delivered to fewer than forty hosts inside large technology companies — Cisco, Intel, Microsoft, Samsung, Sony, VMware, and others. Researchers later concluded that the operation was an espionage campaign attributed to the China-linked Axiom group, using the broad CCleaner compromise as a delivery mechanism for a narrow target list.

What the chronicle remembers

CCleaner sharpened the supply-chain conversation. The Talos disclosure made clear that an attacker willing to compromise a vendor build pipeline could fan out to millions of hosts and then quietly cherry-pick a few dozen — leaving most of the apparent victims with nothing more than an unused implant. The pattern repeated, at far greater scale, three years later with SolarWinds.

Related chronicles