Introduction
In a stunning revelation, Google has confirmed that state-sponsored hackers from China exploited Google Calendar to run a sophisticated cyber-espionage campaign. The operation, linked to the APT41 (also known as HOODOO) group, utilized Calendar events as a command-and-control (C2) channel to extract sensitive data from infected devices.
Discovery and Attribution
According to Google Threat Intelligence Group (GTIG), the breach was discovered in October 2024 and traced to a compromised government website used to spread malware. The malware campaign, dubbed TOUGHPROGRESS, was carefully engineered and attributed to APT41 — a known Chinese advanced persistent threat actor listed in MITRE ATT&CK’s threat database.
How the Malware Worked
The infection process began with spear phishing emails targeting specific users. These emails contained a ZIP file hosted on the compromised website. The archive included a disguised shortcut (.LNK) file mimicking a PDF, and a folder of images showing insects and spiders. Hidden within two of these JPGs were:
- An encrypted payload
- A dynamic link library (DLL) to decrypt and execute it
When the user clicked the LNK file, it initiated a three-stage malware execution pipeline:
- Stage 1: Decrypt and run the PLUSDROP DLL in memory
- Stage 2: Launch a legitimate Windows process, then inject malicious code via process hollowing
- Stage 3: Deploy TOUGHPROGRESS to steal data and use Google Calendar as a C2 channel
Google Calendar as a Command Channel
TOUGHPROGRESS used zero-minute Calendar events with encrypted data in the event descriptions. Hardcoded dates like May 30, 2023, and July 30–31, 2023 served as triggers and backdoors for communication. When an attacker issued commands, TOUGHPROGRESS would scan the calendar, decrypt instructions, execute them, and send the results back via new calendar events — a novel and stealthy use of cloud services.
Google’s Response and Mitigation
GTIG responded swiftly by disabling attacker-controlled Calendar accounts, Google Workspace projects, and associated infrastructure. In addition, they:
- Updated Google Safe Browsing to block malicious domains
- Created custom malware detection signatures
- Notified affected organizations and shared malware samples for forensic analysis
Conclusion
This incident is a stark reminder of how even trusted cloud-based productivity tools can be weaponized. While Google has taken decisive action to shut down APT41’s Calendar-based C2 system, the campaign highlights the need for vigilant cyber hygiene and better cloud app monitoring.
For more expert guidance on hardening your systems against APT groups, visit CISA’s Vulnerability Catalog.
