Between mid-August and 12 September 2017, Piriform (a subsidiary of Avast Security) distributed a backdoored version of CCleaner 5.33 — a widely used Windows PC cleaning utility — to approximately 2.27 million users. The trojanized version contained a two-stage backdoor: Stage 1 (Floxif) collected basic system information and checked for administrative privileges, reporting to a C2 server and receiving commands. Stage 2 was delivered only to high-value targets meeting specific criteria — predominantly technology companies. Cisco Talos and Avast researchers discovered the backdoor on 11 September 2017 and disclosed it on 18 September. The malicious version had been distributed via Piriform’s official servers and was digitally signed with a valid Piriform certificate, making it indistinguishable from the legitimate software. Stage 2 was delivered to approximately 40 machines at major technology companies including Samsung, Sony, VMware, Intel, O2, Singtel, Gauselmann, Dyn, and Chunghwa Telecom — indicating the attackers specifically targeted tech supply chains for corporate espionage. Piriform had recently been acquired by Avast (August 2017). The attackers’ infrastructure was traced to China, and the malware shared code characteristics with BARIUM/Winnti Group tools. The attack illustrated how even post-acquisition security integration failures can create catastrophic supply chain vulnerabilities.