Ddos 
APT41—also known as BARIUM, Wicked Panda, and Brass Typhoon—is a well-known Chinese state-sponsored APT group notorious for blending espionage with cybercrime. In its latest campaign, analyzed by Resecurity, the group targeted a Taiwanese government website, deploying an advanced multi-stage malware framework that uses Google Calendar as a covert command-and-control (C2) channel.
The attack begins with spear-phishing emails that direct victims to download a ZIP archive hosted on a compromised government site. Inside the archive:
- A Windows LNK file posing as a PDF
- Seven JPG files, two of which—“6.jpg” and “7.jpg”—are actually malicious payload containers
Opening the shortcut triggers a deceptive PDF decoy while silently launching malware named ToughProgress via a carefully obfuscated chain.
The malware is deployed in three distinct stages:
- PLUSDROP: Decrypts and loads 6.jpg using Rundll32.exe with in-memory execution to avoid disk detection.
- PLUSINJECT: Injects decrypted code into svchost.exe via process hollowing, evading endpoint detection tools.
- TOUGHPROGRESS: Establishes C2 communications via Google Calendar events.
“The malware operates through three sequential modules… with various stealth and evasion techniques including in-memory execution, encryption, compression, process hollowing, and use of Google Calendar for C2 communications,” — Resecurity explains.
APT41 used several low-level evasion mechanisms, including:
- XOR-based decryption of payloads
- Custom hash functions to mask DLL and API names
- Direct memory operations on the kernel (ntoskrnl.exe)
- Pattern matching in the .text section of memory to locate undocumented Windows functions
“It performs pattern matching… maps physical memory to bypass standard protections… to achieve advanced goals like privilege escalation and anti-forensics,” Resecurity notes.
What sets this campaign apart is TOUGHPROGRESS’s novel use of Google Calendar:
- After installation, the malware creates a backdated calendar event.
- Exfiltrated data is embedded into event descriptions.
- Encrypted commands are posted as event updates.
- Results are uploaded via follow-up events.
This method allows bi-directional, encrypted communication between infected machines and APT41 operators without raising alarms, as the traffic appears to be normal calendar sync operations.
“ToughProgress creates a calendar event back in 2023, embedding encrypted, exfiltrated data… retrieves these events, decrypts the commands, executes them… and uploads results into a new calendar event.”
Google has taken aggressive steps to combat this abuse:
- Developed custom detection fingerprints to flag malicious calendar behavior
- Disabled attacker-controlled Workspace projects
- Added relevant indicators to Safe Browsing blocklists
Donate