China-linked hackers exploit Google Calendar in cyberattacks on governments

A China-based hacking group abused Google Calendar in a new cyber-espionage campaign targeting government entities, researchers have found.

In a report released this week, analysts at Google attributed the campaign to APT41 — also tracked as Brass Typhoon, Wicked Panda and RedGolf — a long-running state-backed operation. The group’s primary targets include foreign governments and organizations in sectors such as logistics, media, automobiles and technology.

The attack, discovered by Google in late October, began with spearphishing emails that directed victims to a malicious ZIP archive hosted on a hijacked government website. The archive contained a PDF file alongside a folder with images of insects, designed to lure the recipient into clicking. Once opened, the file launched a stealthy malware strain researchers have dubbed ToughProgress.

According to Google, the malware deployed three modular payloads that operated entirely in a device’s memory to evade detection. 

What makes ToughProgress particularly notable, researchers said, is its use of Google Calendar for command-and-control. Upon infection, the malware created an event dated May 30, 2023, and embedded stolen, encrypted data into the event’s description. 

On certain dates in July, attackers uploaded additional calendar entries containing encrypted instructions. The malware polled Google Calendar, decrypted the content, and executed the commands before uploading the results to new calendar events.

Google noted that the abuse of legitimate cloud services like Google Calendar allows attackers to blend in with normal traffic, making detection more difficult.

APT41 is among the most prolific Chinese state-affiliated cyber groups. Its members were charged by the U.S. in 2020 for breaching more than 100 entities worldwide. The FBI has issued arrest warrants for five Chinese nationals tied to the group, including Zhang Haoran and Tan Dailin, for cyber intrusions spanning espionage, ransomware deployment, and software supply chain attacks.

The same group has also been linked to intrusions targeting Southeast Asian government agencies. Researchers at cybersecurity firm Sophos reported that APT41 spent nearly two years inside a high-level government department, allegedly searching for intelligence related to South China Sea policy. Last August, the group breached a Taiwanese government-affiliated research institute working on sensitive technologies.