{
	"id": "78f991bb-a1c3-4f24-8983-458786dbad63",
	"created_at": "2026-04-06T00:09:47.449428Z",
	"updated_at": "2026-04-10T03:33:56.268142Z",
	"deleted_at": null,
	"sha1_hash": "01fe99487e027bb45cc4e0973ca7bc2bd1e40061",
	"title": "New investigations into the CCleaner incident point to a possible third stage that had keylogger capacities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 302673,
	"plain_text": "New investigations into the CCleaner incident point to a possible\r\nthird stage that had keylogger capacities\r\nBy Threat Intelligence Team 8 Mar 2018\r\nArchived: 2026-04-05 13:09:09 UTC\r\nActivity was found in Piriform network although not on any of the CCleaner customers’ PCs\r\nFollowing the CCleaner incident last year, we have continued to investigate what happened and have shared our\r\nlatest insights at the Security Security Analyst Summit today.\r\nTo recap, on September 18, 2017, we disclosed that CCleaner had been targeted by cybercriminals, in order to\r\ndistribute malware via the CCleaner installation file. The altered installation file was downloaded by 2.27 million\r\nCCleaner customers worldwide. The malware was introduced to the build server of Piriform, the company\r\ndeveloping CCleaner, some time between March 11 and July 4, 2017, prior to Avast’s acquisition of Piriform on\r\nJuly 18, 2017.\r\nThe first stage of the malware was designed to collect non-sensitive information from CCleaner users, including,\r\nfor example, name of the computer, list of installed software, and a list of running processes. The first stage\r\nincluded downloader capabilities, which were used to download a second stage binary onto just 40 PCs out of the\r\nmillions of devices infected with stage one, making it a highly targeted attack. Up until now, we don’t have any\r\nevidence that a third stage binary has been downloaded onto the affected computers. However, we have found\r\nevidence of activity that could indicate what the intended third stage of the attack could have looked like.\r\nTo eliminate the threat from the Piriform network, we migrated the Piriform build environment to the Avast\r\ninfrastructure, replaced all hardware and moved the entire Piriform staff onto the Avast-internal IT system. We\r\nconsolidated and inspected the Piriform infrastructure and computers, and found preliminary versions of the stage\r\none and stage two binaries on these, and we found evidence of a specialized tool, ShadowPad, which is used by a\r\nspecific group of cybercriminals, installed on four Piriform computers.\r\nShadowPad is a cyber attack platform that cybercriminals deploy in victims’ networks to gain remote control\r\ncapabilities, and has been analyzed in the past. The tool was installed on the four Piriform computers on April\r\n12th, 2017, while the preliminary version of stage two had been installed on the computers on March 12th, 2017.\r\nThe older version of the stage two downloader was contacting CnC servers, but the servers were no longer\r\nfunctioning by the time we got our hands on the computers, so we cannot say with 100% certainty what they were\r\nsupposed to download. However, given the timeline of the events, we assume that the preliminary stage two\r\ndownloader installed ShadowPad on the four Piriform computers. Another clue that lead us to this assumption is\r\nthat ShadowPad is believed to be a product of the Chinese hacker group, Axiom, the group likely behind the\r\nCCleaner attack. The connection between Axiom and the CCleaner attack was first discovered by security\r\nresearcher Constin Raiu.\r\nhttps://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities\r\nPage 1 of 3\n\nShadowPad plugins found on Piriform PCs\r\nWe also found ShadowPad log files that contained encrypted keystrokes from a keylogger installed on the\r\ncomputers. We discovered that the keylogger’s log was encrypted with the volume ID of the hard drive and\r\nconsequently were able to decrypt the key strokes. Looking into the log, we found out that the keylogger had been\r\nactive since April 12th, 2017, recording keystrokes on these computers, including keylogs from Visual Studio and\r\nother programs. The logged data showed us that the keylogger was functional at that time. The version of the\r\nShadowPad tool is custom-built, which makes us think it was explicitly built for Piriform.\r\nhttps://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities\r\nPage 2 of 3\n\nLogged keystrokes found on the Piriform computers\r\nBy installing a tool like ShadowPad, the cybercriminals were able to fully control the system remotely while\r\ncollecting credentials and insights into the operations on the targeted computer. Besides the keylogger tool, other\r\ntools were installed on the four computers, including a password stealer, and tools with the capacity to install\r\nfurther software and plugins on the targeted computer remotely.\r\nShadowPad was installed on the Piriform network and, as far as we can tell from our investigations up until today,\r\nit was not installed on any of the CCleaner customers’ computers, however we believe it was the intended third\r\nstage for the CCleaner customers. While up to 2.27 million CCleaner consumers and businesses had downloaded\r\nthe infected CCleaner product, the attackers installed the malicious second stage on just 40 PCs operated by high-tech and telecommunications companies. We don’t have a sample of a possible third stage that might have been\r\ndistributed via the CCleaner attack, and it is not clear if it was the attacker’s intention to attack all 40 PCs or just a\r\nfew or none. We continue investigating the data dumps from the computers, and will post an update as soon as we\r\nlearn more.\r\nSource: https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities\r\nhttps://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities"
	],
	"report_names": [
		"new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities"
	],
	"threat_actors": [
		{
			"id": "cea5ceec-0f14-4e34-bd0e-4074bc1a707d",
			"created_at": "2022-10-25T15:50:23.629983Z",
			"updated_at": "2026-04-10T02:00:05.362084Z",
			"deleted_at": null,
			"main_name": "Axiom",
			"aliases": [
				"Group 72"
			],
			"source_name": "MITRE:Axiom",
			"tools": [
				"ZxShell",
				"gh0st RAT",
				"Zox",
				"PlugX",
				"Hikit",
				"PoisonIvy",
				"Derusbi",
				"Hydraq"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5c74936a-79d1-41b8-81eb-01d03c90a26b",
			"created_at": "2022-10-25T16:07:23.371052Z",
			"updated_at": "2026-04-10T02:00:04.570621Z",
			"deleted_at": null,
			"main_name": "Axiom",
			"aliases": [
				"G0001",
				"Group 72",
				"Operation SMN"
			],
			"source_name": "ETDA:Axiom",
			"tools": [
				"9002 RAT",
				"Agent.dhwf",
				"AngryRebel",
				"BlackCoffee",
				"BleDoor",
				"Chymine",
				"Darkmoon",
				"DeputyDog",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Fexel",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"Gresim",
				"HOMEUNIX",
				"HiKit",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Kaba",
				"Korplug",
				"McRAT",
				"MdmBot",
				"Moudour",
				"Mydoor",
				"PCRat",
				"PNGRAT",
				"PlugX",
				"Poison Ivy",
				"RbDoor",
				"RedDelta",
				"RibDoor",
				"Roarur",
				"SPIVY",
				"Sensocode",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Winnti",
				"Xamtrav",
				"ZXShell",
				"Zox",
				"ZoxPNG",
				"ZoxRPC",
				"gresim",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434187,
	"ts_updated_at": 1775792036,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/01fe99487e027bb45cc4e0973ca7bc2bd1e40061.pdf",
		"text": "https://archive.orkl.eu/01fe99487e027bb45cc4e0973ca7bc2bd1e40061.txt",
		"img": "https://archive.orkl.eu/01fe99487e027bb45cc4e0973ca7bc2bd1e40061.jpg"
	}
}