Chinese Hacking Group APT41 Exploits Google Calendar to Target Governments

Chinese state-sponsored threat actor APT41 has targeted government entities with malware that uses Google Calendar for command-and-control (C&C), Google warns.

Also tracked as Barium, Winnti, Wicked Panda and Wicked Spider, APT41 is known for targeting organizations globally, across multiple sectors, including automotive, entertainment, government, logistics, media, shipping, and technology sectors.

In attacks observed in October 2024, the threat actor used a compromised government site to target other government entities with the ToughProgress malware that uses an attacker-controlled Google Calendar for C&C.

APT41 relied on phishing emails containing a link to a ZIP archive hosted on the compromised website, which contained a LNK file posing as a PDF document.

When opened, the LNK file launched a DLL (dubbed PlusDrop) that executed the next stage (PlusInject) designed to inject the final payload (ToughProgress) into the legitimate svchost process, using the process hollowing technique.

Upon execution, ToughProgress would create a zero-minute Calendar event at a hardcoded date writing to the event description data collected from the compromised machine, encrypted. The malware can also read hardcoded Calendar events, to which the operator writes commands.

“When an event is retrieved, the event description is decrypted and the command it contains is executed on the compromised host. Results from the command execution are encrypted and written back to another Calendar event,” Google explains.

The internet giant says it developed custom fingerprints it used to find and take down APT41-controlled Calendars, and identified and disrupted the group’s Workspace projects, to disrupt its infrastructure.

Google also added detections to the Google Safe Browsing blocklist, notified the affected organizations, and provided them with a sample of the ToughProgress network traffic logs to help with their detection and remediation efforts.

Additionally, Google warned that since August 2024, APT41 was seen using free web hosting tools for the distribution of malware such as Voldemort, DustTrap, ToughProgress, and others. Hundreds of entities were served links to these hosting sites.

Related: Chinese Hacking Group APT41 Infiltrates Global Shipping and Tech Sectors

Related: Chinese Hacking Group ‘Earth Lamia’ Targets Multiple Industries

Related:SentinelOne Targeted by North Korean IT Workers, Ransomware Groups, Chinese Hackers