Ddos 
APT41βalso known as BARIUM, Wicked Panda, and Brass Typhoonβis a well-known Chinese state-sponsored APT group notorious for blending espionage with cybercrime. In its latest campaign, analyzed by Resecurity, the group targeted a Taiwanese government website, deploying an advanced multi-stage malware framework that uses Google Calendar as a covert command-and-control (C2) channel.
The attack begins with spear-phishing emails that direct victims to download a ZIP archive hosted on a compromised government site. Inside the archive:
- A Windows LNK file posing as a PDF
- Seven JPG files, two of whichββ6.jpgβ and β7.jpgββare actually malicious payload containers
Opening the shortcut triggers a deceptive PDF decoy while silently launching malware named ToughProgress via a carefully obfuscated chain.
The malware is deployed in three distinct stages:
- PLUSDROP: Decrypts and loads 6.jpg using Rundll32.exe with in-memory execution to avoid disk detection.
- PLUSINJECT: Injects decrypted code into svchost.exe via process hollowing, evading endpoint detection tools.
- TOUGHPROGRESS: Establishes C2 communications via Google Calendar events.
βThe malware operates through three sequential modules… with various stealth and evasion techniques including in-memory execution, encryption, compression, process hollowing, and use of Google Calendar for C2 communications,β β Resecurity explains.
APT41 used several low-level evasion mechanisms, including:
- XOR-based decryption of payloads
- Custom hash functions to mask DLL and API names
- Direct memory operations on the kernel (ntoskrnl.exe)
- Pattern matching in the .text section of memory to locate undocumented Windows functions
βIt performs pattern matching… maps physical memory to bypass standard protections… to achieve advanced goals like privilege escalation and anti-forensics,β Resecurity notes.
What sets this campaign apart is TOUGHPROGRESSβs novel use of Google Calendar:
- After installation, the malware creates a backdated calendar event.
- Exfiltrated data is embedded into event descriptions.
- Encrypted commands are posted as event updates.
- Results are uploaded via follow-up events.
This method allows bi-directional, encrypted communication between infected machines and APT41 operators without raising alarms, as the traffic appears to be normal calendar sync operations.
βToughProgress creates a calendar event back in 2023, embedding encrypted, exfiltrated data… retrieves these events, decrypts the commands, executes them… and uploads results into a new calendar event.β
Google has taken aggressive steps to combat this abuse:
- Developed custom detection fingerprints to flag malicious calendar behavior
- Disabled attacker-controlled Workspace projects
- Added relevant indicators to Safe Browsing blocklists
Related Posts:
- Mac App Store discovers cryptocurrency Miner in “Calendar 2” application
- Chinese APT41 Group Breaches Taiwanese Research Institute
- Zero-Click Calendar Invite: Critical macOS Vulnerability Chain Uncovered
- Cyber Espionage Alert: APT41 Strikes Global Industries, Steals Sensitive Data
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
