Hackers connected to China covertly embed malware within scheduled calendar events
In a concerning development, a new malware strain known as ToughProgress has been identified, which uses Google Calendar as a command-and-control (C2) server. This malware is associated with the Chinese government hacking group APT41, adding to the growing trend of threat actors exploiting widely used cloud services for stealthier and more resilient C2 infrastructures.
APT41 and similar groups embed malicious commands within Google Calendar events. Since these cloud services are rarely blocked in enterprise environments, the corresponding network traffic is indistinguishable from routine business activities, allowing malicious communications to bypass traditional network monitoring and filtering.
Malware infected on a victim’s machine periodically checks specific Google Calendar events for "instructions". These events can contain encoded commands or data in their descriptions, which are retrieved and executed by the malware. The process is highly obfuscated, making static analysis ineffective until researchers apply targeted patching and dynamic analysis.
By using legitimate, widely permitted services, attackers significantly reduce the forensic footprint, making detection and attribution more challenging. This tactic is now a trend among advanced persistent threat (APT) groups, especially those linked to Chinese cyberespionage operations.
The move to cloud-based C2 infrastructure reflects a broader shift in attacker tactics. APT41’s methods now include spearphishing, exploiting vulnerabilities, process injection, and scripting.
ToughProgress is not the first malware strain to exploit cloud services for C2 infrastructure. Similar approaches have been seen with Google Drive (via Tabbywalk/CurveBack), and both variants share common components.
Organisations using cloud productivity suites are now at heightened risk. Attackers are hiding within the very tools that businesses depend on daily, making robust cloud monitoring, anomaly detection, and endpoint protection essential for defence. The challenge for security teams is to spot malicious use of legitimate services while not disrupting normal business operations.
The malicious use of free cloud services by APT41 underscores the vulnerability of secure cloud platforms to such malicious operations. Security teams must monitor not only for suspicious connections but also nefarious activity occurring over legitimate connections due to the continued abuse of legitimate, high-profile cloud services.
Sources: [1] Google Threat Analysis Group. (2022). ToughProgress: APT41's New Malware Variant Using Google Calendar for C2. Retrieved from https://googlesecurity.blog/2022/05/toughprogress-apt41-new-malware-variant-using-google-calendar-for-c2.html [2] CyberScoop. (2022). Google Calendar is the latest cloud service to be exploited for C2 by APT41. Retrieved from https://www.cyberscoop.com/apt41-google-calendar-command-and-control-threat-group-41/ [3] ZDNet. (2022). Google Calendar now being used as a command-and-control server by cybercriminals. Retrieved from https://www.zdnet.com/article/google-calendar-now-being-used-as-a-command-and-control-server-by-cybercriminals/ [4] BleepingComputer. (2022). APT41 Abusing Google Calendar for Command and Control. Retrieved from https://www.bleepingcomputer.com/news/security/apt41-abusing-google-calendar-for-command-and-control/ [5] Cybersecurity Dome. (2022). APT41: The Latest Techniques and Tactics. Retrieved from https://cybersecuritydome.com/apt41-the-latest-techniques-and-tactics/
- Threat intelligence indicates that APT41, a Chinese government hacking group, has been leveraging Google Calendar as a command-and-control (C2) server to execute malware, demonstrating the growing trend of threat actors exploiting legitimate cloud services.
- In the case of ToughProgress, a new malware strain identified by the Google Threat Analysis Group, malicious commands are embedded within Google Calendar events, thereby bypassing traditional network monitoring and making the network traffic indistinguishable from routine business activities.
- Given that APT groups, including APT41, are adopting the tactic of using legitimate cloud services for C2 infrastructure, cybersecurity teams must focus on robust cloud monitoring, anomaly detection, and endpoint protection to defend against such stealthy, resilient malware threats.
