Avast said it has found that threat actors behind the attack were planning to install a third round of ShadowPad malware on compromised computers. The company acquired the maker of CCleaner Piriform in July. Avast has not found evidence of a third stage binary on infected computers, it said. The malware in question spread to Piriform s build server sometime between March and July 4, 2017. In September, Avast and Kaspersky Lab said that they believed Chinese cyber espionage group Axiom was behind attack.
Source: https://threatpost.com/ccleaner-attackers-intended-to-deploy-keylogger-in-third-stage/130358/