The hackers who injected malicious code into a version of computer maintenance app CCleaner last year may have been preparing to deliver third-stage malware to at least a select few of the 2.27 million computers that had downloaded the tainted utility program.

Avast Software, which acquired CCleaner along with the assets of its original developer Piriform in July 2017, acknowledged this latest discovery last week both on its blog site and the SAS conference in Cancun, Mexico. According to Avast, its researchers found that four Piriform computers were infected with the cybercriminal tool ShadowPad, which gives attackers remote control capabilities as well as additional modular functionalities such as keylogging and password stealing.

“…We found out that the keylogger had been active since April 12th, 2017, recording keystrokes on these computers, including keylogs from Visual Studio and other programs,” states blog post authors Vince Steckler, Avast CEO, and Ondrej Vlcek, EVP and GM of the consumer business unit. “The version of the ShadowPad tool is custom-built, which makes us think it was explicitly built for Piriform. By installing a tool like ShadowPad, the cybercriminals were able to fully control the system remotely while collecting credentials and insights into the operations on the targeted computer.”

ShadowPad is believed to originate from the Chinese hacker group Axiom, whose code was already spotted in the original first-stage CCleaner malware by Kaspersky Lab researcher Costin Raiu. (Cisco Talos later confirmed this connection to the Chinese actor, which it calls APT 17 or Group 72.)

Injected in August 2017 and discovered a month later, the first-stage malware is essentially a backdoor that initially compromised machines and enabled the attackers to exfiltrate non-sensitive data about them. Of these impacted machines, only about 40 PCs operated by high-tech and telecommunications companies were further infected by a second-stage malware – leading researchers to conclude that the scheme was a supply chain attack designed to infect a large pool of victims, from which a select targeted few would be further compromised.

There is no evidence that ShadowPad ever found its way onto any computer beyond the four Piriform machines – suggesting that remediation of the original attack may have foiled the attackers' plans before they were executed.