{ "id": "0ee06cf3-2a4e-4c62-addb-448d8e0a3786", "created_at": "2026-04-06T01:29:47.290154Z", "updated_at": "2026-04-10T03:33:56.254431Z", "deleted_at": null, "sha1_hash": "72920c515c5c9bafece88c0a454a71959388d825", "title": "CCleaner Command and Control Causes Concern", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1890446, "plain_text": "CCleaner Command and Control Causes Concern\r\nBy Edmund Brumaghin\r\nPublished: 2017-09-20 · Archived: 2026-04-06 00:50:21 UTC\r\nIntroduction\r\nTalos recently published a technical analysis of a backdoor which was included with version 5.33 of the CCleaner\r\napplication. During our investigation we were provided an archive containing files that were stored on the C2\r\nserver. Initially, we had concerns about the legitimacy of the files. However, we were able to quickly verify that\r\nthe files were very likely genuine based upon the web server configuration files and the fact that our research\r\nactivity was reflected in the contents of the MySQL database included in the archived files.\r\nIn analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including\r\nCisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2\r\ntracking database, which only covers four days in September, we can confirm that at least 20 victim machines\r\nwere served specialized secondary payloads. Below is a list of domains the attackers were attempting to target.\r\nNot all companies identified in the targets .php file were seen communicating with a secondary C2 or had a\r\nsecondary payload deployed.\r\nhttp://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html\r\nPage 1 of 16\n\nInterestingly the array specified contains Cisco's domain (cisco.com) along with other high-profile technology\r\ncompanies. This would suggest a very focused actor after valuable intellectual property.\r\nThese new findings raise our level of concern about these events, as elements of our research point towards a\r\npossible unknown, sophisticated actor. These findings also support and reinforce our previous recommendation\r\nthat those impacted by this supply chain attack should not simply remove the affected version of CCleaner or\r\nupdate to the latest version, but should restore from backups or reimage systems to ensure that they completely\r\nremove not only the backdoored version of CCleaner but also any other malware that may be resident on the\r\nsystem.\r\nTechnical Details\r\nWeb Server\r\nThe contents of the web directory taken from the C2 server included a series of PHP files responsible for\r\ncontrolling communications with infected systems. The attacker used a symlink to redirect all normal traffic\r\nrequesting 'index.php' to the 'x.php' file, which contains the malicious PHP script.\r\nhttp://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html\r\nPage 2 of 16\n\nIn analyzing the contents of the PHP files, we identified that the server implemented a series of checks to\r\ndetermine whether to proceed with standard operations or simply redirect to the legitimate Piriform web site. The\r\ncontents of the HTTP Host header, the request method type, and the server port are checked to confirm that they\r\nmatch what is expected from beacons sent from infected systems.\r\nThe PHP contains references to the required table for information storage within the 'x.php' variables as defined:\r\nWithin 'init.php' the $db_table is declared to allow insertion into the required database on the attacker\r\ninfrastructure. This is 'Server' as defined below.\r\nhttp://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html\r\nPage 3 of 16\n\nThe web server also contains a second PHP file (init.php) that defines core variables and operations used.\r\nInterestingly, this configuration specifies \"PRC\" as the time zone, which corresponds with People's Republic of\r\nChina (PRC). It’s important to note that this cannot be relied on for attribution. It also specifies the database\r\nconfiguration to use, as well as the filename and directory location to use for the variable $x86DllName.\r\nThe following information is gathered from infected systems, which is later used to determine how to handle those\r\nhosts. This includes OS version information, architecture information, whether the user has administrative rights,\r\nas well as the hostname and domain name associated with the systems.\r\nThe system profile information was rather aggressive and included specific information such as a list of software\r\ninstalled on the machine and all current running processes on the machine with no surprise that 'CCleaner.exe' was\r\na current running process on the victim machine. The system profile information is then stored in the MySQL\r\ndatabase.\r\nhttp://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html\r\nPage 4 of 16\n\nThere is also functionality responsible for loading and executing the Stage 2 payload on systems that meet the\r\npredefined requirements, similar to functionality that we identified would be required in our previous analysis of\r\nStage 1. While there is shellcode associated with both x86 and x64 PE delivery, it appears that only the x86 PE\r\nloading functionality is actually utilized by the C2 server.\r\nhttp://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html\r\nPage 5 of 16\n\nAnd below is the shellcode associated with the x64 version of the PE Loader.\r\nhttp://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html\r\nPage 6 of 16\n\nThe PHP script later compares the system beaconing to the C2 to three values: $DomainList, $IPList, and\r\n$HostList. This is to determine if the infected system should be delivered a Stage 2 payload. Below is condensed\r\nPHP code that demonstrates this:\r\nhttp://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html\r\nPage 7 of 16\n\nThe use of domain-based filtering further indicates the targeted nature of this attack. While we have confirmed\r\nthat the number of systems affected by the backdoor was large based upon beacon information stored within the\r\nMySQL database, the attackers were specifically controlling which infected systems were actually delivered a\r\nStage 2 payload. While it was reported that no systems executed a Stage 2 payload, this is not accurate. In\r\nanalyzing the database table storing information on the systems that were delivered a Stage 2 payload, we\r\nidentified 20 unique hosts that may have been affected by this payload. The functionality present within Stage 2 is\r\ndocumented in the \"Stage 2 Payloads\" section of this post.\r\nMySQL Database\r\nThe C2 MySQL database held two tables: one describing all machines that had reported to the server and one\r\ndescribing all machines that received the second-stage download, both of which had entries were dated between\r\nSept. 12th and Sept. 16th. Over 700,000 machines reported to the C2 server over this time period, and more than\r\n20 machines have received the second-stage payload. It is important to understand that the target list can be and\r\nwas changed over the period the server was active to target different organizations.\r\nDuring the compromise, the malware would periodically contact the C2 server and transmit reconnaissance\r\ninformation about infected systems. This information included IP addresses, online time, hostname, domain name,\r\nprocess listings, and more. It's quite likely this information was used by the attackers to determine which machines\r\nthey should target during the final stages of the campaign.\r\nThe main connection data is stored in the \"Server\" table. Here is an example of one of Talos' hosts in that database\r\ntable:\r\nIn addition, the compromised machines would share a listing of installed programs.\r\nhttp://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html\r\nPage 8 of 16\n\nA process list was also captured.\r\nhttp://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html\r\nPage 9 of 16\n\nWhen combined, this information would be everything an attacker would need to launch a later stage payload that\r\nthe attacker could verify to be undetectable and stable on a given system.\r\nA second database table, separate from the 'Server' database table, contained an additional information set that was\r\nassociated with systems that had actually been delivered the Stage 2 payload. This table contained similar survey\r\ninformation to the 'Server' database table, the structure of which is shown below:\r\nhttp://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html\r\nPage 10 of 16\n\nIn analyzing this second database table 'OK', we can confirm that after deduplicating entries, 20 systems were\r\nsuccessfully delivered the Stage 2 payload. Talos reached out to the companies confirmed affected by this Stage 2\r\npayload to alert them of a possible compromise.\r\nBased on analysis of the 'Server' database table, it is obvious this infrastructure provides attackers access to a\r\nvariety of different targets. Given the filtering in place on the C2 server, the attackers could add or remove\r\ndomains at any given time, based upon the environments or organizations they choose to target. To provide\r\nadditional perspective regarding the types of systems that the attackers could choose to further compromise, the\r\nscreenshot below shows the number of total entries that were contained within the database table used to store\r\nsystem profile information:\r\nhttp://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html\r\nPage 11 of 16\n\nThe following screenshot shows the number of affected government systems around the world.\r\nLikewise, looking at compromised systems belonging to domains containing the word 'bank' returns the following\r\nresults:\r\nThis demonstrates the level of access that was made available to the attackers through the use of this infrastructure\r\nand associated malware and further highlights the severityand potential impact of this attack.\r\nStage 2 Payloads\r\nThe stage 2 installer is GeeSetup_x86.dll. This installer checks the OS version and then drops either a 32-bit or\r\n64-bit version of a trojanized tool. The x86 version is using a trojanized TSMSISrv.dll, which drops VirtCDRDrv\r\n(which matches the filename of a legitimate executable that is part of Corel) using a similar method to the\r\nbackdoored CCleaner tool. The x64 version drops a trojanized EFACli64.dll file named SymEFA which is the\r\nfilename taken from a legitimate executable that is part of \"Symantec Endpoint\". None of the files that are\r\ndropped are signed or legitimate.\r\nEffectively, they patch a legitimate binary to package their malware. Additionally, the setup put an encoded PE in\r\nthe registry :\r\nhttp://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html\r\nPage 12 of 16\n\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\001\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\002\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\003\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\004\r\nThe purpose of the trojanized binary is to decode and execute this PE in registry. This PE performs queries to\r\nadditional C2 servers and executes in-memory PE files. This may complicate detection on some systems since the\r\nexecutable files are never stored directly on the file system.\r\nWithin the registry is a lightweight backdoor module which is run by the trojanized files. This backdoor retrieves\r\nan IP from data stegged into a github.com or wordpress.com search, from which an additional PE module is\r\ndownloaded and run. The stage 3 payload also reaches out to \"get.adoble.net\"\r\nCode Reuse\r\nTalos has reviewed claims from Kaspersky researchers that there is code overlap with malware samples known to\r\nbe used by Group 72. While this is by no means proof in terms of attribution, we can confirm the overlap and we\r\nagree that this is important information to be considered.\r\nOn the left: 2bc2dee73f9f854fe1e0e409e1257369d9c0a1081cf5fb503264aa1bfe8aa06f (CCBkdr.dll)\r\nOn the right: 0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2 (Missl backdoor -\r\nAPT17/Group 72)\r\nhttp://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html\r\nPage 13 of 16\n\nConclusion\r\nSupply chain attacks seem to be increasing in velocity and complexity. It's imperative that as security companies\r\nwe take these attacks seriously. Unfortunately, security events that are not completely understood are often\r\ndownplayed in severity. This can work counter to a victim's best interests. Security companies need to be\r\nconservative with their advice before all of the details of the attack have been determined to help users ensure that\r\nthey remain protected. This is especially true in situations where entire stages of an attack go undetected for a long\r\nperiod of time. When advanced adversaries are in play, this is especially true. They have been known to craft\r\nattacks that avoid detection by specific companies through successful reconnaissance techniques.\r\nIn this particular example, a fairly sophisticated attacker designed a system which appears to specifically target\r\ntechnology companies by using a supply chain attack to compromise a vast number of victims, persistently, in\r\nhopes to land some payloads on computers at very specific target networks.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttp://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html\r\nPage 14 of 16\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nIndicators of Compromise (IOCs)\r\nBelow are indicators of compromise associated with this attack.\r\nInstaller on the CC: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83\r\n(GeeSetup_x86.dll)\r\n64-bit trojanized binary: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f\r\n(EFACli64.dll)\r\n32-bit trojanized binary: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902\r\n(TSMSISrv.dll)\r\nDLL in registry: f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a\r\nRegistry Keys:\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\001\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\002\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\003\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\004\r\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\HBP\r\nhttp://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html\r\nPage 15 of 16\n\nStage 2 Payload (SHA256):\r\ndc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83\r\nSource: http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html\r\nhttp://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html" ], "report_names": [ "ccleaner-c2-concern.html" ], "threat_actors": [ { "id": "cea5ceec-0f14-4e34-bd0e-4074bc1a707d", "created_at": "2022-10-25T15:50:23.629983Z", "updated_at": "2026-04-10T02:00:05.362084Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "Group 72" ], "source_name": "MITRE:Axiom", "tools": [ "ZxShell", "gh0st RAT", "Zox", "PlugX", "Hikit", "PoisonIvy", "Derusbi", "Hydraq" ], "source_id": "MITRE", "reports": null }, { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "5c74936a-79d1-41b8-81eb-01d03c90a26b", "created_at": "2022-10-25T16:07:23.371052Z", "updated_at": "2026-04-10T02:00:04.570621Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "G0001", "Group 72", "Operation SMN" ], "source_name": "ETDA:Axiom", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BlackCoffee", "BleDoor", "Chymine", "Darkmoon", "DeputyDog", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PNGRAT", "PlugX", "Poison Ivy", "RbDoor", "RedDelta", "RibDoor", "Roarur", "SPIVY", "Sensocode", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "ZXShell", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438987, "ts_updated_at": 1775792036, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/72920c515c5c9bafece88c0a454a71959388d825.pdf", "text": "https://archive.orkl.eu/72920c515c5c9bafece88c0a454a71959388d825.txt", "img": "https://archive.orkl.eu/72920c515c5c9bafece88c0a454a71959388d825.jpg" } }