APT41 Malware Exploits Google Calendar for Covert Command-and-Control (C2) Communication
APT41's 'Tough Progress' Malware Abuses Google Calendar for Covert C2 Operations
The Chinese state-sponsored threat group APT41 has been observed using a newly identified malware strain dubbed 'Tough Progress', which leverages Google Calendar as a stealthy command-and-control (C2) channel. By exploiting a widely trusted cloud service, the attackers are able to mask their malicious activity and evade detection.

Figure 1. APT41 Malware Exploits Google Calendar.
This campaign was uncovered by Google’s Threat Intelligence Group, which promptly dismantled attacker-controlled Google Calendar and Workspace infrastructure. Google also implemented new safeguards to prevent similar abuses moving forward. Figure 1 shows APT41 Malware Exploits Google Calendar.
While the use of Google Calendar for C2 communication isn't new, similar tactics were recently reported by Veracode, which found a malicious package on the Node Package Manager (NPM) registry employing the same technique.
APT41 has a history of abusing Google services. In a previous campaign involving the Voldemort malware in April 2023, the group used Google Sheets and Google Drive for malicious activity.
Attack Overview
According to Google, the attack begins with a phishing email sent to the target, containing a link to a ZIP archive hosted on a previously compromised government website. This archive includes:
- A Windows LNK shortcut file disguised as a PDF.
- A JPG image file that is actually the main encrypted payload.
- A DLL file camouflaged as another image, used to decrypt and execute the payload.
“Files named '6.jpg' and '7.jpg' are not actual images,” explains Google. “The first is an encrypted payload, while the second is a DLL that decrypts and launches it when the user clicks the shortcut.”
The DLL, named PlusDrop, decrypts and loads the next stage, PlusInject, entirely in memory. PlusInject then performs process hollowing on the legitimate Windows process svchost.exe, injecting the final payload tough Progress.
Once active, tough Progress connects to a hardcoded Google Calendar URL, polling specific calendar events where commands are embedded in the description fields [1]. These are hidden calendar events created by APT41.
After executing the received instructions, the malware sends the results back by creating new calendar events — allowing attackers to dynamically adjust their operations based on feedback.
Stealth and Disruption Efforts
Since the malware operates entirely in memory and uses a trusted cloud service for communication, traditional security solutions have a low chance of detecting the intrusion.
Google took swift action by:
- Disabling all attacker-controlled Google Calendar and Workspace accounts.
- Removing the malicious Calendar events.
- Updating its Safe Browsing blocklist, which now warns users and blocks traffic to the identified malicious sites across Google’s ecosystem.
While the report does not list specific victim organizations, Google confirmed it has notified affected entities directly, in collaboration with Mandiant. The tech giant also provided malware samples and traffic logs to help victims detect and analyses infections in their networks.
Reference:
- https://www.bleepingcomputer.com/news/security/apt41-malware-abuses-google-calendar-for-stealthy-c2-communication/
Cite this article:
Keerthana S (2025), APT41 Malware Exploits Google Calendar for Covert Command-and-Control (C2) Communication, AnaTechMaz, pp.179