APT41 Uses Google Calendar for Command and Control

New research from Google Threat Intelligence Group (GTIG) details how PRC-nexus APT41 is leveraging innovative tactics, including the use of Google Calendar for command and control (C2). In late October 2024, we discovered APT41 exploiting a government website to deliver a novel malware family TOUGHPROGRESS.

TOUGHPROGRESS utilizes Google Calendar to exfiltrate data and receive commands, an evolution in APT41’s misuse of cloud services to blend in with legitimate traffic. The malware uses several obfuscation techniques, including memory-only payloads and intricate control flow obfuscation.

GTIG has taken action to disrupt this campaign by terminating attacker-controlled infrastructure, updating Safe Browsing, and providing detection signatures. Our report also discusses APT41’s broader use of free web hosting tools for malware distribution.

Full report available here: https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics