The Chinese group APT41 has created a new malware called ToughProgress that uses Google Calendar as a channel to communicate with a command and control server, disguising its activity as a legitimate cloud service.
The Chinese group APT41 has created a new malware called ToughProgress that uses Google Calendar as a channel to communicate with a command and control server, disguising its activity as a legitimate cloud service.
According to BleepingComputer, the campaign was exposed by Google’s Threat Intelligence Group. In response, the company removed the malicious events from Google Calendar, locked down the Workspace accounts used in the attack, and implemented safeguards to prevent similar abuse in the future.
ToughProgress is a new multi-layered threat that begins with a malicious email with a link to a ZIP archive hosted on a compromised government website. Inside the archive is an LNK file disguised as a PDF document and several pseudo-images with malicious components.
The key role in the launch belongs to the DLL file, which decrypts the downloaded encrypted file and executes the next stage — the PlusInject component. The latter, using the process hollowing technique, injects the final malware — ToughProgress — into the svhost.exe process.
The malware connects to a predefined calendar in Google Calendar, reads commands from hidden events, and after executing the tasks, writes the results to new events for feedback to the hackers. This scheme allows it to avoid detection, as data exchange occurs through a legitimate cloud platform, and the malware is never stored on disk.
It is one of China’s most active state-run cyber groups, known for its attacks on private and government organizations around the world. Previously, attackers have used Google services, including Sheets and Drive, in similar campaigns, such as the Voldemort malware in 2023. Abusing the infrastructure of popular cloud services is becoming an increasingly common approach to bypass security systems, as such activity appears legitimate at first glance. Google is working with Mandiant to identify the affected organizations and has provided them with infection samples and traffic logs for further analysis.
We previously reported on a large-scale hack of over 9,000 Asus routers worldwide. Hackers gained permanent access to the devices, which persisted even after reboots or firmware updates.
