Google said that a Chinese state-sponsored hacking group, known as APT41, deployed a novel malware dubbed TOUGHPROGRESS that exploits Google Calendar as part of its command-and-control (C2) infrastructure.
The malware campaign, discovered in late October 2024 by the Google Threat Intelligence Group (GTIG), was traced to a compromised government website, which was used to distribute the malicious payload targeting other government entities.
APT41 (aka Wicked Panda, Brass Typhoon, and Winnti) has a long history of cyberattacks on sectors including technology, logistics, and government agencies across multiple countries. The observed campaign is the latest operation in a series of campaigns in 2024, including targeted intrusions in Japan, Italy, and the UK.
The attack chain begins with spear-phishing emails containing a ZIP archive hosted on the compromised site. The archive includes a disguised LNK file and a folder of image files, two of which contain encrypted malware payloads. When the LNK is opened, a fake PDF appears, while malicious code executes in the background.
The multi-stage infection uses three components, including PLUSDROP (a DLL that decrypts and launches the next stage in memory), PLUSINJECT (injects code into a legitimate Windows process), and the main malware TOUGHPROGRESS, which communicates with attacker-controlled Google Calendar events.
TOUGHPROGRESS interacts with calendar events to receive encrypted commands and exfiltrate stolen data masquerading as legitimate traffic.
Google said it has dismantled the attacker’s Calendar infrastructure and terminated related Workspace projects. The affected organizations have been notified, though the full extent of the campaign remains unknown.