APT41 Hackers Leverage Google Calendar for Malware C2 in Attacks on Government Entities

The Chinese state-sponsored threat actor APT41, also known as BARIUM, Wicked Panda, and Brass Typhoon, has been reported to exploit Google Calendar as a command-and-control (C2) mechanism in a recent campaign targeting a Taiwanese government website.

This sophisticated group, active since at least 2012, is notorious for blending cyber espionage with financially motivated cybercrime, hitting sectors like healthcare, telecom, software, and government entities worldwide.

Novel Command-and-Control Technique Uncovered

According to Resecurity Report, their latest tactic showcases a blend of custom malware and unconventional C2 channels, posing a significant challenge for cybersecurity defenders.

The attack begins with spear-phishing emails that lure victims to download a malicious ZIP archive hosted on a compromised government website.

Inside, a Windows shortcut (LNK) file, disguised as a PDF named “申報物品清單.pdf.lnk,” is accompanied by several image files, two of which 6.jpg and 7.jpg are malicious payloads.

When the victim executes the LNK file, it displays a decoy PDF while silently initiating an infection chain via a malware dubbed ToughProgress.

The malware operates in three stages: PLUSDROP decrypts 6.jpg using an XOR-based routine and executes it in memory via Rundll32.exe; PLUSINJECT employs process hollowing to inject the payload into a legitimate svchost.exe process for evasion; and TOUGHPROGRESS establishes persistence and communicates with attacker-controlled Google Calendar events for C2.

This setup uses dynamic string generation, custom hashing to avoid suspicious strings, and advanced obfuscation techniques like control flow manipulation.

Execution Details

Furthermore, the malware targets ntoskrnl.exe, mapping kernel memory and employing driver-like handling to potentially achieve privilege escalation and anti-forensic capabilities, making analysis extraordinarily difficult for reverse engineers.

What sets this campaign apart is TOUGHPROGRESS’s use of Google Calendar as a covert C2 channel.

The malware embeds encrypted data in calendar event descriptions, dating back to 2023, to exfiltrate information and retrieve commands from attackers.

Results of executed commands are uploaded to new events, ensuring stealthy, ongoing communication.

This novel approach leverages a trusted platform for malicious purposes, bypassing traditional network-based detection mechanisms.

In response, Google has implemented custom detection fingerprints to identify and disable malicious calendar instances, added harmful domains to Safe Browsing blocklists, and taken down associated Workspace projects to curb the threat.

APT41’s tactics map to multiple MITRE ATT&CK techniques, including spearphishing (T1566.001), process injection (T1055.012), and exfiltration over C2 channels (T1041), highlighting their versatility and danger as a hybrid threat actor combining statecraft with cybercrime.

Indicators of Compromise (IOCs)

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here