CCleaner 2017
A trojanized version of a popular Windows cleanup utility was downloaded 2.3 million times. The attackers wanted only twenty of those machines.
In September 2017, Cisco's Talos research team disclosed that signed, official builds of CCleaner — a Windows maintenance utility owned by Avast and downloaded by an estimated two billion people over its lifetime — had been compromised at the source. Versions 5.33.6162 and 1.07.3191 of CCleaner Cloud, distributed through the vendor's normal channels for roughly a month, carried an additional payload that beaconed home to attacker infrastructure.
A funnel, not a flood
Two point three million CCleaner installs received the first-stage implant. The implant did very little. It collected basic identifying information about the host — domain name, MAC address, computer name — and forwarded it to a command-and-control server. The server then chose which subset of installs were interesting enough to receive a second stage.
The intersection turned out to be small and extremely specific. The second-stage payload was delivered to fewer than forty hosts inside large technology companies — Cisco, Intel, Microsoft, Samsung, Sony, VMware, and others. Researchers later concluded that the operation was an espionage campaign attributed to the China-linked Axiom group, using the broad CCleaner compromise as a delivery mechanism for a narrow target list.
What the chronicle remembers
CCleaner sharpened the supply-chain conversation. The Talos disclosure made clear that an attacker willing to compromise a vendor build pipeline could fan out to millions of hosts and then quietly cherry-pick a few dozen — leaving most of the apparent victims with nothing more than an unused implant. The pattern repeated, at far greater scale, three years later with SolarWinds.