TZUTC: -0500
MSGID: 1164.consprcy@1:2320/105 2c9efad9
PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0
TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
Chinese hackers use Google Calendar in stealthy new attack

Date:
Thu, 29 May 2025 15:07:00 +0000

Description:
Google Calendar was used as part of the C2 infrastructure, so users should
take care.

FULL STORY

Chinese state-sponsored hackers known as APT41 have been seen abusing Google
Calendar in their newest attacks, using it as part of the C2 infrastructure. 

Googles Threat Intelligence Group (TIG) recently discovered the technique,
dismantled the setup, and introduced changes to prevent similar attacks in 
the future. 

The attack starts from a previously compromised government website - TIG did
not explain how the site was compromised, but said it was used to host a .ZIP
archive. This archive is then shared, through phishing emails, with potential
targets.

Reading the calendar 

Inside the ZIP are three files: a DLL and executable files posing as JPGs, 
and a Windows shortcut file (LNK) posing as a PDF document. 

When the victim tries to open the fake PDF, it runs the shortcut which, in
turn, activates the DLL. 

This file, in turn, decrypts and launches the third file, which is the
malicious payload dubbed ToughProgress. 

The malware then reads additional instructions shared in two specific events
in Google Calendar. The commands are found either in the description field, 
or hidden events. 

To share the results, the malware would create a new zero minute calendar
event on May 30, and share the data, encrypted, in the calendar event
description. 

Since the malware is never actually installed on the disk, and since the C2
communication happens via a legitimate Google service, most security products
will have trouble spotting the attack, Google suggests. 

To tackle the threat, TIG developed custom detection signatures to identify
and block APT41s malware. It also took down associated Workspace accounts and
calendar entries. Furthermore, the team updated file detections and added
malicious domains and URLs to the Google Safe Browsing blocklist. 

Google also confirmed that at least a few companies were targeted: In
partnership with Mandiant Consulting, GTIG notified the compromised
organizations, it said. 

We provided the notified organizations with a sample of TOUGHPROGRESS network
traffic logs, and information about the threat actor, to aid with detection
and incident response. 

It did not say how many companies were affected. 

 Via BleepingComputer

======================================================================
Link to news story:
https://www.techradar.com/pro/security/chinese-hackers-use-google-calendar-in-
stealthy-new-attack

$$
--- SBBSecho 3.20-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 114 206 300 307 317 400 426 428
SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200
SEEN-BY: 396/45 460/58 712/848 902/26 2320/0 105 3634/12 5075/35
PATH: 2320/105 229/426