{ "id": "b63c151a-48d7-474b-908e-d968919e4a3e", "created_at": "2026-04-06T00:18:55.126351Z", "updated_at": "2026-04-10T03:24:29.742716Z", "deleted_at": null, "sha1_hash": "de31b6ea2f690c9566bdcbb0bd6499c5cc3af930", "title": "Morphisec Discovers CCleaner Backdoor Saving Millions of Avast Users", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 686525, "plain_text": "Morphisec Discovers CCleaner Backdoor Saving Millions of Avast\r\nUsers\r\nBy Michael Gorelik\r\nArchived: 2026-04-05 21:42:52 UTC\r\nAs widely reported today, the Avast-owned security application CCleaner was illegally modified by hackers.\r\nAccording to Avast, some 2.27 million users were running the weaponized version 5.33 of CCleaner. In addition,\r\nthe CCleaner cloud version 1.07 was affected. Morphisec was the first to uncover the CCleaner Hack and notify\r\nAvast. \r\nMorphisec identified and prevented malicious CCleaner.exe installations on August 20 and 21, 2017 at customer\r\nsites. On September 11, 2017, some customers shared their logs of the prevented attacks with Morphisec, which\r\nour team immediately started to investigate.\r\nThis post has been updated:\r\n1.) Inclusion of Avast reference to Morphisec help.\r\n2.) The CCleaner compromised version was discovered and reported by both Morphisec and Cisco in separate in-field cases and reported separately to Avast.\r\nAlthough the executables were signed by the original Piriform company – which was purchased by Avast in July –\r\nversion 5.33 of CCleaner exhibited internal code injection behavior and reflective DLL loading directly into\r\nmemory.\r\n“Morphisec’s unique Moving Target Defense cyber security solution first stopped the malicious file at one of our\r\ncustomers in Singapore. We were gratified to see that we prevented the attack and how our Endpoint Threat\r\nPrevention solution keeps our customers safe,” remarks Michael Gorelik VP R\u0026D at Morphisec.\r\nImmediately after the initial investigation, Morphisec notified all of its customers and reported its findings to\r\nAvast to help the company identify the issue. An updated version of CCleaner 5.34 – which was released at\r\nSeptember 12, 2017 –  did not include any malicious code.\r\n“A backdoor transplanted into a security product through its production chain presents a new unseen threat level\r\nwhich poses a great risk and shakes customers’ trust. As part of our responsible disclosure policy, we immediately\r\ncontacted Avast and shared all the information required for them to resolve the issue promptly. Customer safety is\r\nour top concern,” Gorelik emphasizes.\r\nIn their blog post Avast confirms Morphisec’s important role:\r\n“The CCleaner compromised version was released on August 15 and went undetected by any security\r\ncompany for four weeks, underscoring the sophistication of the attack. In our view, it was a well-prepared operation and the fact that it didn’t cause harm to users is a very good outcome, made possible\r\nhttp://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\r\nPage 1 of 6\n\nby the original notification we received from our friends at security company Morphisec (more on this\r\nbelow) followed by a prompt reaction of the Piriform and Avast teams working together. We continue to\r\nbe actively cooperating with law enforcement units, working together to identify the source of the\r\nattack.”\r\n[…] \r\n“Avast first learned about the possible malware on September 12, 8:35 AM PT from a company called\r\nMorphisec which notified us about their initial findings. We believe that Morphisec also notified Cisco.\r\nWe thank Morphisec and we owe a special debt to their clever people who identified the threat and\r\nallowed us to go about the business of mitigating it. Following the receipt of this notification, we\r\nlaunched an investigation immediately, and by the time the Cisco message was received (September 14,\r\n7:25AM PT), we had already thoroughly analyzed the threat, assessed its risk level and in parallel\r\nworked with law enforcement in the US to properly investigate the root cause of the issue.”\r\nNow that Avast has made a public announcement, Morphisec is able to share a short abstract of our technical\r\ninvestigation.\r\nCCleaner Hack Technical Abstract\r\nFirst, we identified that the TLS initialization of callback functions was probably altered by a modification of the\r\nvisual studio runtime file:\r\nSuch modifications can be done by someone with access to the machine that compiles the code. This makes the\r\ncode injection very useful and stealth. Moreover, this code is executed before any of the original CCleaner code is\r\nexecuted and the executable is automatically signed by the build machine.\r\nFollowing the new TLS initiation path, we investigated the reflective injection of the DLL, which was a DLL\r\nwithout a FILE_DOS_HEADER.  Later on, the NT_HEADER was striped as well to evade any memory\r\nmonitoring solutions. Morphisec’s research lab has witnessed such processes more and more lately.\r\nhttp://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\r\nPage 2 of 6\n\nThe DLL by itself is a simple controller component that collects information from the computer, sends it to a C2\r\nand is able to receive next stage code execution.\r\nThe DLL contained sophisticated methods rarely used by only few threat actors like code for identifying 64/32\r\nwhich can run within both processes:\r\nNote, that the downloaded payload has a failback option for accessing “randomly” generated domains (the month\r\nof year being used as a seed). \r\nDownload of the Code from C2:\r\nhttp://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\r\nPage 3 of 6\n\nMalicious code execution following the payload download + the Domain generated hosts: \r\nUpdated on September 19, 2017. \r\nAbout the author\r\nhttp://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\r\nPage 4 of 6\n\nMichael Gorelik\r\nChief Technology Officer\r\nMorphisec CTO Michael Gorelik leads the malware research operation and sets technology strategy. He has\r\nextensive experience in the software industry and leading diverse cybersecurity software development projects.\r\nPrior to Morphisec, Michael was VP of R\u0026D at MotionLogic GmbH, and previously served in senior leadership\r\npositions at Deutsche Telekom Labs. Michael has extensive experience as a red teamer, reverse engineer, and\r\ncontributor to the MITRE CVE database. He has worked extensively with the FBI and US Department of\r\nHomeland Security on countering global cybercrime. Michael is a noted speaker, having presented at multiple\r\nindustry conferences, such as SANS, BSides, and RSA. Michael holds Bsc and Msc degrees from the Computer\r\nhttp://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\r\nPage 5 of 6\n\nScience department at Ben-Gurion University, focusing on synchronization in different OS architectures. He also\r\njointly holds seven patents in the IT space.\r\nSource: http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\r\nhttp://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor" ], "report_names": [ "morphisec-discovers-ccleaner-backdoor" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434735, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/de31b6ea2f690c9566bdcbb0bd6499c5cc3af930.pdf", "text": "https://archive.orkl.eu/de31b6ea2f690c9566bdcbb0bd6499c5cc3af930.txt", "img": "https://archive.orkl.eu/de31b6ea2f690c9566bdcbb0bd6499c5cc3af930.jpg" } }