HQ/EMEAFind out how we can help your business
A newly discovered malware called ‘ToughProgress’ has been exploiting Google Calendar as a covert channel for C2 communications. Reports revealed that threat actors embed malicious operations within this trusted cloud platform.
This activity, linked to the Chinese state-sponsored threat group APT41, was identified by Google’s Threat Intelligence Group (GTIG). Since then, GTIG has dismantled the attacker-controlled infrastructure and implemented targeted countermeasures to prevent future abuse.
While using Google Calendar for C2 is not new, it has been seen in other attacks, such as those involving malicious NPM components. APT41 has also misused Google services, including a 2023 campaign involving Google Sheets and Google Drive, deploying Voldemort malware.
The ToughProgress malware campaign starts with a phishing email.
According to investigations, the ToughProgress malware operation begins with a phishing email directing targets to download a ZIP archive from a compromised government website.
This archive contains a Windows LNK file disguised as a PDF, a JPG image file (6.jpg) that includes an encrypted payload, and another image file (7.jpg), which is a DLL responsible for decrypting and launching the malware.
Once the victim executes the LNK file, the DLL component, PlusDrop, decrypts and loads the next stage, PlusInject, entirely in memory. PlusInject then performs process hollowing on the legitimate Windows process svhost.exe, injecting the final payload, ToughProgress.
Upon execution, ToughProgress connects to a hardcoded Google Calendar endpoint, polling specific event dates where APT41 has embedded commands in the description fields of hidden calendar events.
Subsequently, the malware executes these instructions and uploads the results to new calendar events, enabling ongoing attacker control while remaining concealed within a legitimate service.
The malware operates entirely in memory and communicates with trusted cloud infrastructure, so detection by security tools is significantly hampered.
To counter this campaign, Google disabled all attacker-controlled Calendar instances and associated Workspace accounts. It also updated the Safe Browsing blocklist, which now alerts users about related malicious sites and blocks traffic across Google’s product suite.
Although Google did not publicly disclose the identities of affected organisations, it confirmed that all known victims were privately notified in cooperation with external service providers.
Google shared ToughProgress samples and traffic logs with impacted entities to support detection and remediation efforts.
