Google Calendar was being used as a communication channel by a group of hackers to extract sensitive information from individuals, according to the Google Threat Intelligence Group (GTIG). The tech giant’s cybersecurity division discovered a compromised government website in October 2024 and found that malware was being spread using it. Once the malware infected a device, it would create a backdoor using Google Calendar and allow the operator to extract data. GTIG has already taken down the calendar accounts and other systems that were being used by the hackers.

Google Calendar Used By China-Linked Hackers for Command and Control (C2) Channel

GTIG detailed the delivery method of the malware, how it functioned, and the measures taken by Google’s team to protect users and its product. The hacker associated with this attack is said to be APT41, also known as HOODOO, a threat group believed to be linked to the Chinese government.

An investigation by GTIG revealed that APT41 used a spear phishing method to deliver malware to targets. Spear phishing is a targeted form of phishing where attackers personalise emails to specific individuals. 

These emails contained a link to a ZIP archive that was hosted on the compromised government website. When an unsuspecting person opened the archive, it showed a shortcut LNK file (.lnk), which was disguised to appear like a PDF, as well as a folder.

Overview of how the malware functioned
Photo Credit: GTIG

This folder contained seven JPG images of arthropods (insects, spiders, etc.). GTIG highlighted that the sixth and seventh entries, however, are decoys that actually contain an encrypted payload and a dynamic link library (DLL) file that decrypts the payload. 

When the target clicks the LNK file, it triggers both files. Interestingly, the LNK file also automatically deletes itself and is replaced with a fake PDF, which is shown to the user. This file mentions that the species shown need to be declared for export, likely to mask the hacking attempt and to avoid raising suspicion.

Once the malware has infected a device, it operates in three different stages, where each stage carries out a task in sequence. GTIG highlighted that all three sequences are executed using various stealth techniques to avoid detection. 

The first stage decrypts and runs a DLL file named PLUSDROP directly in memory. The second stage launches a legitimate Windows process and performs process hollowing — a technique used by attackers to run malicious code under the guise of a legitimate process — to inject the final payload.

The final payload, TOUGHPROGRESS, executes malicious tasks on the device and communicates with the attacker via Google Calendar. It uses the cloud-based app as a communication channel via command and control (C2) technique. 

The malware adds a zero-minute calendar event on a hardcoded date (May 30, 2023), which stores encrypted data from the compromised computer in the event’s description field.

It also creates two other events on hardcoded dates (July 30 and 31, 2023), which gives the attacker a backdoor to communicate with the malware. TOUGHPROGRESS regularly scans the calendar for these two events. 

When the attacker sends an encrypted command, it decrypts it and executes the command. Then, it sends back the result by creating another zero-minute event with the encrypted output.

To disrupt the malware campaign, GTIG created custom detection methods that identify and remove APT41’s Google Calendar accounts. The team also shut down the attacker-controlled Google Workspace projects, effectively disabling the infrastructure that was used in the operation. 

Additionally, the tech giant also updated its malware detection systems and blocked the malicious domains and URLs using Google Safe Browsing.

GTIG has also notified affected organisations, and provided them with samples of the malware’s network traffic and details about the threat actor to help with detection, investigation, and response efforts.