Skip to content

APT41 Hackers Using Google Calendar for Malware Command-and-Control To Attack Government Entities

[[{“value”:”

A recent campaign by Chinese state-sponsored threat actor APT41 has unveiled a novel exploitation of Google Calendar for malware command-and-control (C2) operations, marking a significant escalation in cyberespionage tactics.

The group, tracked under aliases including BARIUM and Brass Typhoon, targeted Taiwanese government entities through a multi-stage attack chain combining spearphishing, image-based payload delivery, and covert C2 via widely trusted cloud services.

The campaign during forensic analysis of a compromised government website, revealing a sophisticated workflow designed to evade traditional detection mechanisms.

The attack begins with spearphishing emails distributing ZIP archives labeled “出境海關申報清單.zip” (“Export Customs Declaration List.zip”).

Resecurity researchers identified that inside, the victims encounter a shortcut LNK file masquerading as a PDF (“申報物品清單.pdf.lnk”) and an image folder containing seven files.

While files 1–5 display legitimate arthropod specimens, 6.jpg and 7.jpg harbor encrypted malware components. When executed, the LNK file displays a decoy PDF about export regulations while silently deploying APT41’s ToughProgress malware suite.

Encrypted malware components (Source – Resecurity)

This three-module framework—PLUSDROP, PLUSINJECT, and TOUGHPROGRESS—combines memory-resident execution, process hollowing, and cloud-based C2 to maintain persistence.

Resecurity analysts noted the campaign’s innovation lies in its abuse of Google Calendar events for bidirectional communication. Unlike traditional C2 servers, this approach blends malicious traffic with legitimate Google Workspace API requests, complicating network-based detection.

Rundll32.exe attempts to decrypt 6.jpg (Source – Resecurity)

The Tactics, Techniques, and Procedures (TTPs) map to 14 distinct MITRE ATT&CK entries, spanning initial access (T1566.001) to exfiltration (T1041).

Covert C2 Infrastructure Through Google Calendar Event Manipulation

The TOUGHPROGRESS module establishes persistence by creating Google Calendar events dated back to 2023, embedding AES-encrypted commands within event descriptions.

The malware periodically checks these events using OAuth2 tokens, mimicking legitimate calendar synchronization behavior.

Commands are decrypted using a hardcoded key (0x7D in XOR operations) and executed via injected svchost.exe processes.

// Sample decryption routine for calendar event data
void decrypt_payload(char* encrypted_data, size_t len) {
    const char KEY = 0x7D;
    for (size_t i = 0; i < len; i++) {
        encrypted_data[i] ^= KEY;
    }
}

Execution results are exfiltrated by creating new calendar events with BASE64-encoded output appended to seemingly benign descriptions.

For instance, an event titled “Budget Meeting Q3” might contain exfiltrated registry data within its description field.

This technique capitalizes on the trustworthiness of Google services—76% of enterprise firewalls whitelist *.google.com domains, enabling undisturbed data transit.

The malware further obfuscates C2 patterns using dynamically generated Cloudflare Workers subdomains (*.trycloudflare[.]com) as proxy relays.

These domains resolve to Google Calendar API endpoints, creating a hybrid infrastructure that blends bulletproof hosting with legitimate cloud services.

Key Indicators of Compromise (IOCs) include the malicious 6.jpg (SHA-256: 50124174a4ac0d65bf8b6fd66f538829d1589edc73aa7cf36502e57aa5513360) and 7.jpg files, which contain XOR-encrypted PE headers.

Memory analysis reveals signature evasion techniques such as:-

  1. API hashing: Critical functions like LdrLoadDll are resolved via custom hash algorithms rather than direct imports
  2. Section stomping: Malware overwrites .text sections of legitimate processes with malicious code
  3. Shimcache manipulation: Timestamps of malicious files are spoofed to match system binaries
; Example of API hashing for kernel32!CreateProcessA
mov edi, 0x8F1D8844   ; Precomputed hash value
call resolve_api_by_hash
test eax, eax
jz error_handler

Defenders should monitor for abnormal svchost.exe instances with open connections to *.googleapis.com/calendar/v3 and inspect calendar event metadata for BASE64 blobs.

Resecurity recommends implementing application allowlisting for rundll32.exe and constraining Google Workspace API permissions to mitigate similar campaigns.

This operation shows the APT41’s continued evolution in exploiting trust relationships between users, software, and cloud providers.

As geopolitical tensions heighten, such hybrid C2 mechanisms will likely proliferate among state-aligned threat actors seeking plausible deniability.

Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests

The post APT41 Hackers Using Google Calendar for Malware Command-and-Control To Attack Government Entities appeared first on Cyber Security News.

“}]] 

Read More  Cyber Security News