{
	"id": "bce70be6-6cb3-4924-a187-45c08c3126cb",
	"created_at": "2026-04-06T00:14:46.907179Z",
	"updated_at": "2026-04-10T13:11:41.583726Z",
	"deleted_at": null,
	"sha1_hash": "0178e27080b23876bfb01077a5662af1192788d0",
	"title": "Additional information regarding the recent CCleaner APT security incident",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 476696,
	"plain_text": "Additional information regarding the recent CCleaner APT\r\nsecurity incident\r\nBy Threat Intelligence Team 25 Sep 2017\r\nArchived: 2026-04-05 13:52:25 UTC\r\nWe would like to update our customers and the general public on the latest findings regarding the investigation of\r\nthe recent CCleaner security incident. As published in our previous blog posts (here and here), analysis of the CnC\r\nserver showed that the incident was in fact an Advanced Persistent Threat (APT) attack, targeting specific high-tech and telecommunications companies. That is, despite the fact that CCleaner is a consumer product, the\r\npurpose of the attack was not to attack consumers and their data; instead, the CCleaner customers were used to\r\ngain access to corporate networks of select large enterprises.\r\nToday, we are going to disclose new facts about the incident that we received since the last public update.\r\nIntroduction\r\nAs we already know, the CnC server contained important evidence in terms of the exact list of hosts with which\r\nthe CnC server communicated, and the list of hosts to which it actually sent the 2nd stage payload (i.e. which\r\nactually became compromised in the sense that they could execute malicious code sent by the attacker). The\r\nproblem was that due to a crash of the database, there were only about 3.5 days’ worth of data. Our hypothesis was\r\nthat this occurred because of the server running out of disk space on September 10, leading the operator to a full\r\nrebuild of the database.\r\nHowever, further investigation revealed that the attackers backed up the data from the crashed CnC server to\r\nanother server before rebuilding the database.  Thanks to the continued work of the Avast Threat Labs team and\r\nthe help from US law enforcement personnel. The server’s IP address was 216.126.225.163, it featured the same\r\nself-signed SSL certificate (issued for speccy.piriform.com) and stack-wise, had a typical “LAMP” configuration:\r\nCentOS release 6.9 with Apache 2.2.15,  PHP 5.3.3, but most importantly, a MySql database that turned out to\r\ncontain data going back to August 18. Access to this backup server allowed us to assemble what we believe is the\r\ncomplete database (the only missing piece is a 40-hour window between 2017-09-10 19:03:18 and 2017-09-12\r\n9:58:47 UTC, i.e. between the crash of the original CnC DB and the creation of the new one; it is not clear how\r\nthe CnC server behaved in that period).\r\nThe main findings from the complete database are as follows:\r\nThe total number of connections to the CnC server was 5,686,677.\r\nThe total number of unique PCs (unique MAC addresses) that communicated with the CnC server was\r\n1,646,536.\r\nThe total number of unique PCs that received the 2nd stage payload was 40.\r\nPCs and Companies that received the 2nd stage payload\r\nhttps://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident\r\nPage 1 of 8\n\nThe most important piece of information is the content of the “OK” table in the database, which lists the machines\r\nthat successfully received the 2nd stage payload and were therefore really “infected” with potentially malicious\r\ncode (although we haven’t been able to isolate that code yet, as it probably came from additional layers which are\r\nstill the focus of additional investigation).\r\nHere is the complete list of companies / domains affected, together with the number of impacted PCs:\r\nWe have reached out to all these companies, with the aim of providing them with detailed information about the\r\nincident, list of impacted computers, and additional IOCs that can be used to detect the infection and take\r\ncorrective actions.\r\nWorth noting is that about 40 PCs out of 2.27M had the compromised version of CCleaner product installed, i.e.\r\n0.0018% of the total -- a truly targeted attack.\r\nThe list of companies (domains) evolved over time, and the detailed logs found on the SQL database server\r\nsuggest that the bad actors were trying to identify suitable hosts not just by a pre-determined list, but also by\r\nlooking into what kind of PC hosts have actually been available to them in the sense that they had PCs with\r\nCCleaner connecting to the CnC. Following is a list of targets that were of potential interest, but were not attacked\r\nby the 2nd stage payload:\r\nhttps://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident\r\nPage 2 of 8\n\nClearly, the logs also indicate that the attackers were looking for additional high-profile companies to target, some\r\nof them potentially leading to additional supply-chain attacks (Carriers / ISPs, server hosting companies and\r\ndomain registrars).\r\nInterestingly enough, the two corporations with the highest number of impacted PCs (cht.com.tw and\r\nnsl.ad.nec.co.jp) were actually missing in the list of targeted domains on the CnC server at the time it was taken\r\ndown. This suggests that the attackers actively removed these companies from the list after the payload had been\r\ndelivered. \r\nOrigin of the attacker\r\nIn the previous post, we talked about the fact that there were multiple clues suggesting that the attack may be\r\noriginating from China, including multiple instances of PHP code found on the CnC server, the myPhpAdmin\r\nlogs, and the similarity of certain code snippets to a previous APT attack attributed to China.\r\nThe problem with all these indications is that they are all very easy to forge: they might have been added simply to\r\nmake investigation more difficult and to hide the true origin.\r\nhttps://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident\r\nPage 3 of 8\n\nSo, during our investigation, we tried to take a slightly different approach. We noticed that there have been a\r\nrelatively large number of operator connections to the CnC server; the server apparently required a lot of manual\r\nmaintenance work. In total, the operator connected to the server 83 times (plus 17 more times to the backup\r\nserver), to do various things from installing and setting up the systems to monitoring it and resolving respective\r\nissues, such as to fix the crashed database. Which made us think that this was in fact someone’s ‘day job’. The\r\nhypothesis was further supported by the fact that there were many fewer connections to the server on Saturdays,\r\nand almost no connections on Sundays.\r\nNow, with that hypothesis in place, the obvious thing to do was to plot the operator connections to the server in a\r\nchart and try to determine the time zone in which the attacker resided.\r\nThe result looked like this:\r\nThere is a clear pattern, which is in fact quite typical for IT workers: an 8-hour working day, followed by 4-5\r\nhours of inactivity in the afternoon/evening and then additional connections during a 5-hour block in the evenings.\r\nGiven the typical working day starts at 8AM or 9AM, this leads us to the most likely location of the attacker in the\r\ntime zone UTC + 4 or UTC + 5, leading us to Russia or the eastern part of Middle East / Central Asia and India.\r\nFurthermore, given the clear lack of traffic on Saturdays and Sundays, it would indicate that it wasn’t an Arabic\r\ncountry.\r\nhttps://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident\r\nPage 4 of 8\n\nAnother possible explanation is that there were multiple people involved in the operation, each working from a\r\ndifferent time zone.\r\nIt is worth noting that, despite there being a large number of tech / telco companies in China, Russia and India,\r\nthere are no companies from these countries on the list of companies targeted by this attack.\r\nInvestigation process and next steps\r\nWe are continuing our investigation of the incident:  working with law enforcement, partner companies and a\r\nprofessional firm specializing in incident response operations to move quickly in the right direction.  Our security\r\nteam has reached out to all companies proven to be part of the 2nd stage, and we’re committed to working with\r\nthem to resolve the issue fully. Obviously, the fact that the 2nd stage payload has been delivered to a computer\r\nconnected to a company network doesn’t mean that the company network has been compromised. However,\r\nproper investigation is in order and necessary to fully understand the impact and take remediation actions. From\r\nour side, we continue working on getting access and analyzing the additional stages of the payload (post stage 2).\r\nWe will post an update as soon as we learn more.\r\nIOCs\r\nThe following is an updated list of IOCs.\r\nFiles\r\n1st stage\r\n04bed8e35483d50a25ad8cf203e6f157e0f2fe39a762f5fbacd672a3495d6a11 - CCleaner - installer (v5.33.0.6162)\r\nhttps://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident\r\nPage 5 of 8\n\n0564718b3778d91efd7a9972e11852e29f88103a10cb8862c285b924bc412013 - CCleaner - installer\r\n(v5.33.0.6162)\r\n1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff - CCleaner - installer (v5.33.0.6162)\r\n276936c38bd8ae2f26aab14abff115ea04f33f262a04609d77b0874965ef7012 - CCleaner - installer (v5.33.0.6162)\r\n2fe8cfeeb601f779209925f83c6248fb4f3bfb3113ac43a3b2633ec9494dcee0 - CCleaner - installer (v5.33.0.6162)\r\n3c0bc541ec149e29afb24720abc4916906f6a0fa89a83f5cb23aed8f7f1146c3 - CCleaner - installer (v5.33.0.6162)\r\n4f8f49e4fc71142036f5788219595308266f06a6a737ac942048b15d8880364a - CCleaner - installer (v5.33.0.6162)\r\n7bc0eaf33627b1a9e4ff9f6dd1fa9ca655a98363b69441efd3d4ed503317804d - CCleaner - installer (v5.33.0.6162)\r\na013538e96cd5d71dd5642d7fdce053bb63d3134962e2305f47ce4932a0e54af - CCleaner - installer (v5.33.0.6162)\r\nbd1c9d48c3d8a199a33d0b11795ff7346edf9d0305a666caa5323d7f43bdcfe9 - CCleaner - installer (v5.33.0.6162)\r\nc92acb88d618c55e865ab29caafb991e0a131a676773ef2da71dc03cc6b8953e - CCleaner - installer (v5.33.0.6162)\r\ne338c420d9edc219b45a81fe0ccf077ef8d62a4ba8330a327c183e4069954ce1 - CCleaner - installer (v5.33.0.6162)\r\n36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9 - CCleaner.exe (32-bit\r\nv5.33.0.6162)\r\n6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9 - CCleaner.exe (32-bit v5.33.0.6162)\r\na3e619cd619ab8e557c7d1c18fc7ea56ec3dfd13889e3a9919345b78336efdb2 - CCleanerCloud - installer (32-bit\r\nv1.7.0.3191)\r\n0d4f12f4790d2dfef2d6f3b3be74062aad3214cb619071306e98a813a334d7b8 - CCleanerCloudAgent.exe (32-bit\r\nv1.7.0.3191)\r\n9c205ec7da1ff84d5aa0a96a0a77b092239c2bb94bcb05db41680a9a718a01eb -\r\nCCleanerCloudAgentHealtCheck.exe (32-bit v1.7.0.3191)\r\nbea487b2b0370189677850a9d3f41ba308d0dbd2504ced1e8957308c43ae4913 - CCleanerCloudTray.exe (32-bit\r\nv1.7.0.3191)\r\n3a34207ba2368e41c051a9c075465b1966118058f9b8cdedd80c19ef1b5709fe - 1st stage payload DLL found in\r\nCCleaner\r\n19865df98aba6838dcc192fbb85e5e0d705ade04a371f2ac4853460456a02ee3 - 1st stage payload DLL found in\r\nCCleanerCloud\r\n2nd stage\r\ndc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83 - 2nd stage payload DLL\r\n(GeeSetup_x86.dll)\r\nhttps://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident\r\nPage 6 of 8\n\na414815b5898ee1aa67e5b2487a11c11378948fcd3c099198e0f9c6203120b15 - loader of the 2nd stage payload\r\n(64-bit)\r\n7ac3c87e27b16f85618da876926b3b23151975af569c2c5e4b0ee13619ab2538 - loader of the 2nd stage payload\r\n(32-bit)\r\n4ae8f4b41dcc5e8e931c432aa603eae3b39e9df36bf71c767edb630406566b17 - inner DLL of the 2nd stage payload\r\n(64-bit)\r\nb3badc7f2b89fe08fdee9b1ea78b3906c89338ed5f4033f21f7406e60b98709e - inner DLL of the 2nd stage payload\r\n(32-bit)\r\na6c36335e764b5aae0e56a79f5d438ca5c42421cae49672b79dbd111f884ecb5 - inner DLL of the 2nd stage payload\r\n(32-bit)\r\nCnC\r\nIPs\r\n216.126.225.148 - CnC of the 1st stage payload\r\n216.126.225.163 - backup server of CnC 216.126.225.148\r\nURLs (all used for obtaining IP address of the 2nd stage CnC)\r\nget.adoble[.]com\r\nhttps://github[.]com/search?q=joinlur\u0026type=Users\u0026u=✓\r\nhttps://en.search.wordpress[.]com/?src=organic\u0026q=keepost\r\nDGA (used by the 1st stage payload)\r\nab8cee60c2d.com   - valid for 2017-08\r\nab1145b758c30.com - valid for 2017-09\r\nab890e964c34.com  - valid for 2017-10\r\nab3d685a0c37.com  - valid for 2017-11\r\nab70a139cc3a.com  - valid for 2017-12\r\nab3c2b0d28ba6.com - valid for 2018-01\r\nab99c24c0ba9.com  - valid for 2018-02\r\nab2e1b782bad.com  - valid for 2018-03\r\nab253af862bb0.com - valid for 2018-04\r\nab2d02b02bb3.com  - valid for 2018-05\r\nab1b0eaa24bb6.com - valid for 2018-06\r\nhttps://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident\r\nPage 7 of 8\n\nabf09fc5abba.com  - valid for 2018-07\r\nabce85a51bbd.com  - valid for 2018-08\r\nabccc097dbc0.com  - valid for 2018-09\r\nab33b8aa69bc4.com - valid for 2018-10\r\nab693f4c0bc7.com  - valid for 2018-11\r\nab23660730bca.com - valid for 2018-12\r\nWindows Registry\r\nHKLM\\SOFTWARE\\Piriform\\Agomo\\MUID - used by the 1st stage payload\r\nHKLM\\SOFTWARE\\Piriform\\Agomo\\NID - used by the 1st stage payload\r\nHKLM\\SOFTWARE\\Piriform\\Agomo\\TCID - used by the 1st stage payload\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\HBP - used by the 2nd stage payload\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\001 - used by the 2nd stage payload\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\002 - used by the 2nd stage payload\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\003 - used by the 2nd stage payload\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\004 - used by the 2nd stage payload\r\nSource: https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident\r\nhttps://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident"
	],
	"report_names": [
		"additional-information-regarding-the-recent-ccleaner-apt-security-incident"
	],
	"threat_actors": [],
	"ts_created_at": 1775434486,
	"ts_updated_at": 1775826701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0178e27080b23876bfb01077a5662af1192788d0.pdf",
		"text": "https://archive.orkl.eu/0178e27080b23876bfb01077a5662af1192788d0.txt",
		"img": "https://archive.orkl.eu/0178e27080b23876bfb01077a5662af1192788d0.jpg"
	}
}