This post is also available in:
עברית (Hebrew)
A new report reveals that Chinese state-backed hacking group APT41 has developed a novel method to conduct cyber-espionage by exploiting Google Calendar as a covert command-and-control (C2) channel. The sophisticated technique, recently exposed by Google’s Threat Intelligence Group (GTIG), allowed the attackers to issue commands and exfiltrate data through seemingly benign calendar events.
This approach, uncovered in late October 2024, marked the first known instance of a nation-state actor embedding operational malware instructions within Google Calendar infrastructure, using encrypted descriptions in scheduled events to communicate with compromised systems.
The attack began with spear-phishing emails containing links to a malicious ZIP file hosted on a compromised government website. The archive included a disguised shortcut file (posing as a PDF) and multiple image files, some of which served as decoys while others deployed malware.
Once activated, a malware module—codenamed TOUGHPROGRESS—established communication with the attacker via calendar entries. The system wrote encrypted data into zero-minute calendar events, dated May 30, 2023, and began polling Calendar for further instructions. Any retrieved event data was decrypted and executed on the infected machine, all while appearing as legitimate calendar traffic.
This method enabled the attackers to seamlessly blend into typical enterprise network activity, bypassing traditional threat detection systems. GTIG responded by dismantling APT41’s infrastructure, taking down attacker-controlled calendars and terminating linked Workspace projects. Detection rules were updated, and affected organizations were notified.
APT41 is known for targeting a wide range of industries, including government, technology, logistics, and media. The group has previously exploited other Google services for cyber operations—in 2023, it manipulated Google Sheets and Drive for malware control and leveraged Google AMP to redirect users to password-protected malicious files.
GTIG warns that this campaign reflects a broader trend of state-sponsored actors abusing legitimate cloud services to mask their activities. With free and trusted platforms increasingly used as part of advanced malware distribution chains, defenders are urged to monitor atypical behavior in familiar tools like calendars, documents, and collaboration platforms.
