Chinese state-sponsored threat actor APT41 is targeting government organisations with a malware variant using Google Calendar as a command-and-control (C2) center. The malware used is dubbed ToughProgress and uses calendar events to communicate with the attacker from the target system.
The malicious activity was picked up by Google’s Threat Intelligence Group (GTIG). The search giant’s cybersec team has included indicators of compromise in its report and has added the malicious activity to the Google Safe Browsing blocklist, while notifying the affected organisations.
APT41 uses phishing emails to infect users initially. The emails contain a link to a ZIP archive hosted on a malicious website that contains an LNK file passed off as a PDF document. When executed, the file launches the PlusDrop DLL that executes a malware injector called PlusInject. The final stage installs the malware and injects it into the svchost process using process hollowing to evade detection.
Once executed, the malware creates a zero-minute Google Calendar event on a predetermined date and writes the event description data collected from the targeted machine. The operator then adds specific calendar events that contain commands, which the malware picks up by reading hardcoded calendar events.
Going off the malicious activity, Google has developed custom fingerprints that were used to track and take down calendars used by the hacking group. The search giant also targeted workspace projects used by the group to further disrupt its online infrastructure.
APT41 has had a history of targeting government organisations for espionage. It also tracked other organisations around the world across sectors, including automotive, entertainment, media, logistics, shipping, and of course, tech. The search giant also warned that the threat group was using free web hosting tools to distribute malware, including ToughProgress, targeting hundreds of companies since at least August 2024.
In the News: Fake AI software installers are spreading ransomware
