Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

CCleaner Server Was Compromised in Early July

A server distributing a version of PC utility CCleaner infected with malware might have been compromised in early July, Avast revealed.

A server distributing a version of PC utility CCleaner infected with malware might have been compromised in early July, Avast revealed.

Two versions of the highly popular Windows maintenance tool (32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191) were modified to distribute information stealing malware, and over 2 million users have been impacted by the incident. The infected binary was released on August 15 and remained undetected for four weeks.

CCleaner was developed by Piriform, which was acquired by anti-virus company Avast in July, 2017. After news of the infected installer broke on Monday, the security firm decided to step forward and clarify that the compromise likely happened before the July acquisition.

“Before we completed the acquisition, the bad actors were likely already in the process of hacking into the Piriform systems. The compromise may have started on July 3rd. The server was provisioned earlier in 2017 and the SSL certificate for the respective https communication had a timestamp of July 3, 2017,” an Avast blog post signed by Vince Steckler, CEO, and Ondrej Vlcek, CTO and EVP Consumer Business, reads.

The company also disclosed that they were warned of the infection by security company Morphisec, which says that it first encountered the malicious CCleaner installations on Aug. 20. However, it was only on Sept. 11 that Morphisec received logs from some of its customers and could start an investigation.

On Sept. 12, Morphisec warned Avast of the infection, and the latter was able to resolve the issue within 72 hours. By Sept. 15, the command and control server that the malware was contacting had been taken down and Piriform had already released a clean version of CCleaner.

Avast also claims that no actual harm was done to the impacted computers, despite the fact that 2.27 million users downloaded the infected application release, as the final payload in this attack never activated.

“About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary,” the company says.

CCleaner v5.34 and CCleaner Cloud v1.07.3214 have been released without the malicious code inside, and Avast says that only around 730,000 users are still running the affected version 5.33.6162 on their systems. The free CCleaner variant doesn’t include automatic updates, meaning that users need to manually download and install the clean version.

“We deeply understand the seriousness of the situation, as we do with all security threats. We regret the inconvenience experienced by Piriform’s customers. We plan to be issuing more updates on this as we go. We have made it our highest priority to properly investigate this unfortunate incident and to take all possible measures to ensure that it never happens again,” Avast also says.

Affected users are advised to update to the latest versions of CCleaner as soon as possible, to remove any malicious code from their computers.

Related: Millions Download Maliciously Modified PC Utility

Related: Avast Acquires CCleaner Developer Piriform 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.