Hacking group APT41 is exploiting Google Calendar to conduct command-and-control (C2) operations using a newly identified malware called TOUGHPROGRESS, according to Google’s Threat Intelligence Group (GTIG). The malware campaign, discovered in October 2024, targeted multiple government entities through a compromised government website.
How TOUGHPROGRESS works
The infection begins with spear-phishing emails that direct victims to a malicious ZIP archive hosted on a hijacked government website. The archive contains a Windows shortcut file (LNK) that mimics a PDF, alongside a directory of fake images named like arthropod photos. Clicking the LNK triggers a multi-stage infection process.
The malware unfolds in three steps:
PLUSDROP, a DLL that decrypts the next stage in memory
PLUSINJECT, which uses process hollowing to inject code into svchost.exe
TOUGHPROGRESS, which communicates with an attacker-controlled Google Calendar
TOUGHPROGRESS uses Calendar events to exfiltrate stolen data and receive commands. It creates and modifies events, such as zero-minute events with embedded data on specific hard-coded dates. These are then polled and executed on the infected host.
Previous use of Google services
This is not the first time APT41 has misused Google’s infrastructure. In 2023, the group used Google Drive to deliver a backdoor called Google Command and Control (GC2), which read commands from Google Sheets and exfiltrated data.
Google’s response
Google has since neutralized the campaign by shutting down the malicious Calendar and related Workspace projects. The tech firm has notified affected organizations. However, the full scale of the intrusion remains undisclosed.
Tips to stay protected
Avoid opening links or attachments from unknown or unverified sources
Disable LNK file previews in Windows to reduce risk from disguised shortcuts
Use updated antivirus and endpoint detection tools
Regularly monitor cloud service access and permissions
APT41—also known by aliases like Winnti, Brass Typhoon, and Wicked Panda—has a history of targeting sectors like government, manufacturing, and technology across countries such as Japan, the UK, and Taiwan.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
