Chinese APT41 Hackers Turn Google Calendar Into Covert Command Center for Government Espionage

Google revealed on Wednesday that the notorious Chinese state-backed hacking group APT41 has developed sophisticated malware called TOUGHPROGRESS that weaponizes Google Calendar as a command-and-control platform.

The tech company uncovered this operation in late October 2024, discovering that cybercriminals had compromised a government website to host the malware and launch attacks against multiple government organizations.

"Cloud service exploitation for command-and-control purposes allows threat actors to camouflage malicious activities within normal network traffic," explained Patrick Whitsell, a researcher with Google's Threat Intelligence Group.

APT41 operates under numerous aliases, including Axiom, Blackfly, Brass Typhoon, Bronze Atlas, Earth Baku, HOODOO, RedGolf, Red Kelpie, TA415, Wicked Panda, and Winnti. This highly active nation-state organization consistently targets government agencies and private companies across shipping, logistics, media, entertainment, technology, and automotive industries worldwide.

Previous campaigns by this group have been extensive. In July 2024, Google documented sustained attacks against entities in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom, utilizing various malicious tools including ANTSWORD, BLUEBEAM, DUSTPAN, and DUSTTRAP web shells and droppers.

Earlier in 2024, a subset of APT41 launched the RevivalStone campaign, specifically targeting Japanese manufacturing, materials, and energy companies in March.

The newly discovered attack methodology begins with targeted spear-phishing emails containing links to ZIP archives hosted on the compromised government site. These archives contain a folder with what appears to be seven arthropod images labeled "1.jpg" through "7.jpg", along with a Windows shortcut file disguised as a PDF document.

When victims activate the shortcut file, they see a decoy PDF claiming that the arthropod species requiresan  export declaration. However, the files labeled "6.jpg" and "7.jpg" are malicious payloads rather than genuine images.

"The initial file contains an encrypted payload that gets decrypted by the second file - a DLL that executes when the victim clicks the shortcut," Whitsell noted. The malware employs advanced evasion tactics including memory-only execution, encryption, compression, and obfuscated control flow.

The attack unfolds through three sequential malware components:

PLUSDROP - A DLL that decrypts and launches the next stage directly in system memory. PLUSINJECT - Performs process injection by hollowing out a legitimate "svchost.exe" process to insert the final payload. TOUGHPROGRESS - The primary malware that establishes communication through Google Calendar

The malware's most innovative feature involves manipulating Google Calendar events for data theft and command execution. It creates zero-duration events on a predetermined date (May 30, 2023) to store stolen information within event descriptions.

Attackers embed encrypted instructions in Calendar events dated July 30-31, 2023. The malware continuously monitors these events, decrypts the commands, executes them on infected Windows systems, and writes results back to additional Calendar events for attacker retrieval.

Google has dismantled the malicious Calendar infrastructure and shut down the associated Workspace accounts, effectively neutralizing the entire operation. The company also alerted affected organizations, though the campaign's full scope remains undetermined.

This incident represents the second documented case of APT41 exploiting Google's ecosystem. In April 2023, the group targeted a Taiwanese media company using Google Command and Control (GC2), an open-source red team tool delivered through password-protected Google Drive files. Once deployed, GC2 functions as a backdoor that retrieves commands from Google Sheets and exfiltrates sensitive data via Google's cloud storage platform.