CCleaner
CCleaner distributed with multi-stage backdoor.
Attackers compromised Piriform's build environment and inserted a backdoor into official CCleaner releases before Avast completed the acquisition. More than two million users received the first-stage telemetry collector, while a much narrower second stage pursued high-value technology companies. The incident showed how consumer utility software could become a precision espionage filter.
- Date
- 2017-03-12 to 2017-09-12
- Category
- Commercial
- Target Surface
- Build/CI
- Insertion Phase
- CI/CD
- Impact
- Backdoor
- Cause
- Build system compromise
What Was Affected
Package
CCleaner
ComponentApplication
Artifact typebinary archive
Domain typeproject download host
Domain
piriform.com
Compromised Versions
- CCleaner version 5.33.6162
- CCleaner Cloud version 1.07.3191
Incident Context
- Motive
- Espionage
- Attribution
- Nation-state
- Transitive
- No
- User Impact
- 2270000
- Observed Duration
- 184 days
Evidence
Compromised Artifacts
- download.piriform.com/ccsetup533.exe
- download.piriform.com/ccleaner/5.33/ccsetup533.exe
- download.piriform.com/ccsetup533_slim.exe
- ccleaner.com/ccleaner/download/standard
Current Artifacts and Analysis
Indicators and Changes
Hashes
sha256:1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ffsha256:36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9md5:5d4a6ae5ed7de98404bedfe504dbfb4a
External References
Source Data
Source record: proprietary/ccleaner/meta.yaml