On May 29, 2025, Google disclosed that the China-linked hacking group APT41 exploited Google Calendar to conduct command-and-control operations using a new malware called TOUGHPROGRESS.

This malware employs Google Calendar as a mechanism to conceal malicious activities within a trusted cloud service, effectively blending in with legitimate operations.

APT41 delivered the malware through spear phishing emails that contained a ZIP file disguised as an export declaration document, which included a malicious Windows LNK file and an encrypted payload.

The ZIP file also contained a DLL file named 'PlusDrop' that decrypts and executes the next stage of the malware entirely in memory, minimizing detection risks.

TOUGHPROGRESS operates in three stealthy stages: the first stage, PLUSDROP, decrypts the payload; the second stage, PLUSINJECT, injects malicious code into legitimate processes like svchost.exe; and the final stage executes commands from the attacker.

The malware polls hidden events in Google Calendar for instructions and returns execution results as new calendar events, facilitating data exfiltration and command receipt.

While specific victims were not disclosed, Google collaborated with Mandiant to notify affected organizations and provided them with threat intelligence and network logs to aid in detection.

In response to the campaign, Google terminated all related Workspace accounts and identified the attacker-controlled Google Calendar instances, enhancing user security.

Google's Threat Intelligence Group dismantled the infrastructure used by APT41 and developed custom fingerprints to prevent future abuses of its services.

APT41, also known as Axiom or Blackfly, is a prolific nation-state group that has targeted various sectors, including government, shipping, media, and technology.

Google identified the malicious activity in late October 2024, when malware hosted on a compromised government website was found targeting multiple government entities.

This incident marks the second time APT41 has exploited Google services, following a previous incident in April 2023 involving a Go-based tool delivered via Google Drive.