A state-sponsored cyber group known as "APT41" has been caught using Google Calendar for stealthy command-and-control (C2) operations via a malware strain dubbed "TOUGHPROGRESS".
How It Works:
Victims receive a fake PDF via spear-phishing. Upon opening, a stealthy infection chain begins decrypting, injecting, and finally activating TOUGHPROGRESS, which communicates covertly through calendar events.
Key Techniques:
- Memory-only payloads
- Process hollowing using `svchost.exe
- Use of encrypted Google Calendar events for data exfiltration
APT41’s malware reads encrypted commands placed in specific calendar dates and sends back results right under the radar of many traditional defenses.
Previously linked to global attacks across shipping, media, tech, and manufacturing, APT41 continues to innovate in abusing cloud platforms for cyber espionage.
Stay Safe:
- Avoid clicking suspicious links or ZIP files
- Block LNK file execution via group policy
- Monitor usage of legitimate cloud services in your network
- Keep your systems updated and patched
- Use EDR tools that detect process hollowing and memory-resident malware
Google has shut down the malicious Calendar infrastructure and notified affected parties.
This attack shows how even trusted tools can be weaponized. Stay alert. Stay informed.
