APT41 malware abuses Google Calendar for stealthy C2 communication

The Chinese APT41 hacking group uses a new malware named 'ToughProgress' that exploits Google Calendar for command-and-control (C2) operations, hiding malicious activity behind a trusted cloud service. The campaign was discovered by Google's Threat Intelligence Group, which identified and dismantled attacker-controlled Google Calendar and Workspace infrastructure and introduced targeted measures to prevent such abuse in the future. Using Google Calendar as a C2 mechanism is not a novel technique, and Veracode recently reported about a malicious package in the Node Package Manager (NPM) index following a similar tactic. Also, APT41 is known for abusing Google services before, like using Google Sheets and Google Drive in a Voldemort malware campaign in April 2023. Overview of the attack Source: Google APT41 attack flow The attack starts with a malicious email sent to targets, linking to a ZIP archive hosted on a previously compromised government website. The archive contains a Wi ... Read full article.