The CCleaner breach from 2017 just got a deeper twist. What we thought was a two-stage supply chain attack now appears to have had a hidden third layer.

Avast’s ongoing investigation has revealed evidence suggesting that the attackers, believed to be the Chinese APT group known as Axiom (also called APT17 or DeputyDog), planned to deploy a more advanced payload—ShadowPad, a remote access tool with extensive surveillance capabilities.

Here’s the breakdown.

In September 2017, 2.27 million users downloaded compromised versions of CCleaner, one of the most popular system-cleaning tools. The attack stemmed from the compromise of Piriform’s distribution servers, the company behind CCleaner, months before Avast acquired them. Attackers embedded a backdoor into the 32-bit version of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191.

Stage one was widespread. It gathered non-sensitive system data from infected machines.
Stage two was much more selective, deployed only to 40 targeted machines, signaling this wasn’t about mass infection—it was a highly targeted operation.

Now, here’s the important part: Avast uncovered traces of a third-stage payload during a deeper investigation of Piriform’s internal systems. They found ShadowPad installed on four internal Piriform machines, dated as early as April 12, 2017. This version of ShadowPad was custom-built, likely crafted specifically for this operation.

If you’re not familiar with ShadowPad, it’s a sophisticated remote control platform. In 2017, Kaspersky discovered it in software used by major firms across industries—from finance and media to energy and transportation. This isn’t commodity malware. It comes with components like:

• Keyloggers that silently capture keystrokes
• Password stealers
• Plugins to deploy more tools or software

Avast suspects that ShadowPad was the planned third-stage payload for some of the 40 second-stage victims, though it was never seen active on customer systems. The command-and-control server used for the second stage had already gone offline by the time investigators looked into it, leaving a few puzzle pieces missing. But based on the timeline and toolset, the signs point strongly to ShadowPad being part of the broader attack plan.

The bigger takeaway here is that this breach wasn’t just opportunistic. It was structured, multi-layered, and likely aimed at long-term access and espionage.

Even years later, incidents like this serve as critical reminders of how supply chain compromises can unfold silently, targeting even trusted software with laser precision.