APT41 Uses Google Calendar as Covert C2 in Stealthy Cyberespionage Campaign

In an example of cloud service abuse, Google Threat Intelligence Group (GTIG) has uncovered a new APT41 campaign that leverages Google Calendar as a covert command-and-control (C2) channel. Dubbed TOUGHPROGRESS, the malware campaign targeted multiple government entities through a compromised government website and demonstrates how state-backed attackers continue to innovate in evasion and stealth.

“We assess with high confidence that this malware is being used by the PRC based actor APT41 (also tracked as HOODOO),” GTIG stated, citing their global operations and strategic targeting.

The campaign began with spear-phishing emails linking to a malicious ZIP archive hosted on a compromised government website. The ZIP file contained a disguised .lnk file masquerading as a PDF and several JPGs themed around arthropods.

“The files ‘6.jpg’ and ‘7.jpg’ are fake images. The first is actually an encrypted payload and the second is a DLL file launched when the target clicks the LNK,” GTIG  explained.

Once triggered, the malware displays a decoy export declaration PDF to distract the user while the infection chain proceeds silently.

The TOUGHPROGRESS malware is deployed in three modular stages:

• PLUSDROP – Decrypts and executes the next payload in memory.
• PLUSINJECT – Launches a legitimate svchost.exe and injects the final stage.
• TOUGHPROGRESS – The core payload, performing host surveillance and communicating via Google Calendar.

The malware uses in-memory execution, DLL injection, and process hollowing to evade endpoint detection.

TOUGHPROGRESS employs advanced evasion mechanisms:

• Register-based indirect calls
• 64-bit address arithmetic overflow
• Control flow obfuscation

But what makes it stand out is its misuse of Google Calendar:

“TOUGHPROGRESS has the capability to read and write events with an attacker-controlled Google Calendar.”

Once active, it:

• Creates a zero-minute event on a hardcoded date.
• Encrypts host data and writes it into the event description.
• Polls for attacker-injected commands on other calendar dates.
• Executes decrypted instructions and writes back the result in new events.

This use of Calendar makes malicious traffic appear as normal API activity, allowing it to blend into legitimate user behavior.

Working alongside Mandiant FLARE, GTIG successfully disrupted the TOUGHPROGRESS campaign by:

• Developing custom detection signatures
• Tearing down attacker-controlled Calendar accounts
• Terminating associated Workspace projects
• Updating Google Safe Browsing blocklists

“To disrupt APT41 and TOUGHPROGRESS malware, we have developed custom fingerprints… and added malicious domains and URLs to the Google Safe Browsing blocklist.”

GTIG also alerted compromised organizations and shared detailed logs and threat intelligence to support incident response efforts.

APT41’s activities go beyond TOUGHPROGRESS. Previous GTIG and partner reports have tracked:

• VOLDEMORT – Delivered via Google Sheets/Drive.
• DUSTTRAP – Hosted via public cloud platforms.
• Malware delivery using free hosting sites like TryCloudflare, InfinityFree, and Cloudflare Workers.

“APT41 has used Cloudflare Worker subdomains the most frequently… [and] URL shorteners to disguise malicious payloads.”

All known indicators of compromise (IOCs) and malicious infrastructure have been blocked or dismantled by Google.

Related Posts:

• Mac App Store discovers cryptocurrency Miner in “Calendar 2” application
• Cyber Espionage Alert: APT41 Strikes Global Industries, Steals Sensitive Data
• Google: Zero-Day Exploits Shift from Browsers to Enterprise Security Tools in 2024
• Zero-Click Calendar Invite: Critical macOS Vulnerability Chain Uncovered
• Chinese APT41 Group Breaches Taiwanese Research Institute