Google Exposes Chinese Hackers Using Calendar Events for Cyberattacks

Google has revealed a new cyber threat linked to a Chinese state-sponsored hacking group called APT41. The group used a malware named TOUGHPROGRESS that cleverly hides its activity by using Google Calendar for its command-and-control (C2) operations. This means the malware communicates with the Chinese hackers using events on Google Calendar.

Google discovered this cyber activity in late October 2024. The malware was found on a compromised government website and was used to target other government organisations. The attackers sent phishing emails with a ZIP file link. This file looked like it contained images of insects, but two of the images were fake. Hidden inside was a shortcut file disguised as a PDF. When clicked, it launched the attack.

Google Exposes Chinese Hackers Using Calendar Events for Cyberattacks

When someone opened the file, it showed a fake message about exporting species. Basically, it tries to convince the victim about the authenticity of the document. Behind the scenes, it ran hidden code to infect the system. The malware used various stealth methods like encryption, memory-only payloads, and process obfuscation to avoid being detected.

According to Google’s Threat Intelligence Group (GTIG), the malware had three main parts:

• PLUSDROP – A DLL file that decrypts and runs the next stage of the attack.
• PLUSINJECT – This uses a method called process hollowing to inject malicious code into a safe-looking Windows process (svchost.exe).
• TOUGHPROGRESS – This is the main malware that connects to Google Calendar. It reads hidden commands placed by hackers.

The malware used Google Calendar to read and write events. The hackers created fake calendar events on specific dates like July 30 and 31, 2023. Inside the event descriptions, they hid encrypted commands. The malware read these commands and executed them on the infected computer. It then sent the results back using another event. This way, the entire communication remains hidden within a normal-looking calendar.

When Google came to know about this hack, it took swift action. The company removed the malicious Google Calendar and shut down related Workspace accounts. They also alerted all affected organizations. However, the full extent of the attack is still unknown.

See Also: Thousands Say No to Smartphones for Kids – Should Pakistani Parents Join In?

APT41 is a well-known hacker group linked to the Chinese government. The group has gone by many names, including Wicked Panda, Winnti, and Brass Typhoon. They have previously targeted various sectors like government, technology, logistics, media, and even the automotive industry.

This is not the first time APT41 has misused Google’s services. In April 2023, they used another tool called Google Command and Control (GC2). That malware used Google Sheets and Google Drive to read commands and steal data.

Google continues to monitor such threats and is working to secure its platforms. This case highlights how hackers are now using everyday cloud services to hide their attacks. Organizations must remain alert and invest in strong cybersecurity measures to stay protected.