A sophisticated cyberattack that used Google Calendar as a covert communication channel to exfiltrate sensitive data has been dismantled by Google’s Threat Intelligence Group (GTIG). The campaign, attributed to the China-linked threat group APT41 (also known as HOODOO), exploited the calendar service as part of a stealthy command-and-control (C2) infrastructure.
The operation came to light in October 2024, when GTIG identified a compromised government website distributing malware. Once a victim’s device was infected, the malware used Google Calendar events to transmit stolen data and receive instructions from its operators.
Malware Delivered Through Spear Phishing
GTIG’s investigation revealed that APT41 initiated the attack using spear phishing emails, which included a link to a ZIP archive hosted on the compromised website. Inside the archive was a deceptive shortcut file (.lnk) disguised as a PDF, alongside a folder containing seven JPG images of arthropods. Two of these images acted as decoys, secretly carrying an encrypted payload and a DLL file that would decrypt it.
When the target opened the shortcut file, it launched the malicious files while deleting itself and replacing it with a fake PDF. This document claimed the images were of species requiring export declarations—an attempt to deflect suspicion.
Multi-Stage Malware and Use of Google Calendar
The malware, codenamed TOUGHPROGRESS, operated in three stages:
- Stage One: Decrypt and execute a memory-resident DLL known as PLUSDROP.
- Stage Two: Launch a legitimate Windows process and use process hollowing to inject malicious code.
- Stage Three: Execute the final payload, which maintained communication with the attacker via Google Calendar.
TOUGHPROGRESS leveraged calendar events as a covert C2 channel. It created a zero-minute calendar event on May 30, 2023, embedding encrypted data into the event description. Two additional events, dated July 30 and 31, 2023, were used to receive and execute commands from the attacker. The malware would regularly scan for these events, decrypt commands, perform the instructed actions, and respond with another zero-minute event containing the encrypted output.
Google Responds to the Threat
GTIG responded by developing custom detection rules to identify and disable the attacker-controlled Google Calendar accounts and associated Google Workspace infrastructure. Additionally, Google’s security teams:
- Updated malware detection systems
- Blocked malicious URLs and domains via Safe Browsing
- Notified affected organizations
- Shared indicators of compromise and malware samples to assist in defense and investigation efforts
This takedown highlights the increasingly creative ways threat actors exploit legitimate cloud services to evade detection—and the ongoing efforts by cybersecurity teams to stay ahead of them.
