The Chinese APT41 hacking group uses a new malware named ‘ToughProgress’ that exploits Google Calendar for command-and-control (C2) operations, hiding malicious activity behind a trusted cloud service.
The campaign was discovered by Google’s Threat Intelligence Group, which identified and dismantled attacker-controlled Google Calendar and Workspace infrastructure and introduced targeted measures to prevent such abuse in the future.
Using Google Calendar as a C2 mechanism is not a novel technique, and Veracode recently reported about a malicious package in the Node Package Manager (NPM) index following a similar tactic.
Also, APT41 is known for abusing Google services before, like using Google Sheets and Google Drive in a Voldemort malware campaign in April…