Both Cisco and Avast released findings this week that show the CCleaner malware outbreak is way worse than initial reports indicated.

On Wednesday, Cisco Systems’ Talos Group published the results of its investigation. Data collected from a seized command and control center showed 20 highly targeted technology and telecom organizations received a second-stage payload during just one four-day period of the 31 days the malware was active. Cisco, Microsoft, VMware, Intel, Sony, Samsung, HTC, Linksys and D-Link were all targeted.

It was previously thought that 2.3 million computers had been infected, but none had received the second stage. But Cisco found that 700,000 infected PCs had reported back to the hackers’ server over that four-day period.

Further, Avast, which acquired CCleaner in July, admitted Thursday that because the backdoor was active for so long, the number of infected devices was probably far higher than the Cisco investigation uncovered. "Given that the logs were only collected for little over three days, the actual number of computers that received the 2nd stage payload was likely at least in the order of hundreds," wrote CEO Vince Steckler and chief technology officer Ondrej Vlcek in the announcement. 

The second stage payload was designed to just collect data and maintain hackers’ access to infected devices, not to cause any actual mischief, said analysts. And Avast says that most of the infected computers aren’t actually targets of the hackers.

“This was a typical watering hole attack where the vast majority of users were uninteresting for the attacker, but select ones were,” Avast researchers wrote.

Craig Williams, senior threat researcher and global outreach manager for Talos, told The VAR Guy that even though it’s likely most channel partners’ customers aren’t targets, service providers should still take measures to guard against attacks.

“Like any malware attack, systems need to be cleaned and restored from backup if you believe they have been affected,” said Williams. “Look for the listed IoCs in your network and recover systems as required.”

Russian security firm Kaspersky has said that a known group of bad actors that are recognized as Axiom or Group 72 are responsible for the malware attack. The group has been linked to Chinese hackers.