The Chinese hacker group known as APT41 has been using a new malware called ToughProgress, which hides in none other than Google Calendar. The idea? To use this widely trusted service as a covert channel for their command and control (C2) communications, allowing them to move data and execute malicious actions without raising suspicion.
This campaign was detected by Google’s Threat Intelligence Group, which not only dismantled the compromised Google Calendar and Workspace infrastructure but also implemented new measures to prevent such incidents from happening again.
While it may sound innovative, using Google Calendar as a C2 channel isn’t entirely new. In fact, a malicious package recently reported in the NPM repository employed a very similar tactic. APT41 already has a history of exploiting legitimate Google services. For instance, in April 2023, they used Google Sheets and Google Drive in a malware campaign known as Voldemort. It’s clear they prefer to hide in plain sight.
Summary of the Attack (Source: Google)
It all starts with a malicious email that the attackers send to their victims. This email includes a link that points to a ZIP file hosted on a government website that had previously been hacked (which already gives it a certain level of credibility at first glance). That ZIP file contains several disguised traps:
A Windows .LNK file that poses as a PDF but is actually the trigger for the entire attack.
Two “.jpg” files that may look like harmless images, but are anything but.
One of these files, named “6.jpg”, is actually the encrypted payload (the main malware).
The other, “7.jpg”, is a DLL library that acts as both the decryptor and the executor of the malware when the victim clicks on the supposed PDF.
According to Google, this DLL is called PlusDrop, and its job is to decrypt and launch a second stage of the malware called PlusInject, all of which happens without leaving any trace on the disk, as it executes directly in the system's memory.
Once executed, PlusInject hijacks a legitimate Windows process, svchost.exe, and performs process hollowing (a common technique that involves hollowing out a legitimate process and using it as a container to run malicious code). In this case, it injects the final stage of the attack: malware called ToughProgress.
This malware is the one that silently connects to Google Calendar. There, it scans for hidden events on specific dates, looking for commands that APT41 has inserted into the description field. This way, the malware stays in contact with the attackers without raising suspicion, all through a completely legitimate service.
One of APT41’s Calendar Events (Source: Google)
Once the ToughProgress malware executes the instructions it receives, it sends the results back by creating new events in Google Calendar. This allows the attacker to review what happened and calmly decide their next moves.
What’s most concerning is that none of this is saved to disk, and all communication with the attacker takes place through a completely legitimate cloud service like Google Calendar. The result? Security tools on the infected machine rarely detect what’s going on. It’s a clever move to stay under the radar.
The Encrypted Exchange (Source: Google)
Read more: PumaBot: New Botnet That Forces SSH Credentials to Attack
Once Google discovered what was happening, they identified the Google Calendar accounts used by the attackers and immediately shut them down, along with all suspicious events that had been created. They also terminated the associated Workspace accounts involved in the operation.
Additionally, Google updated its Safe Browsing blocklist, meaning that anyone attempting to visit one of the sites linked to the campaign will receive a warning, and traffic to those sites will be automatically blocked across Google products, including Chrome.
The report does not specify which organizations or users were directly affected, but Google confirmed that they contacted the victims privately, in coordination with Mandiant, a cybersecurity company. They even provided them with samples of the ToughProgress malware and logs of suspicious traffic to help them determine whether they had been compromised and to assist with system cleanup.