Google Exposes Chinese Hackers Using Calendar Events for Cyberattacks
Google Uncovers Cyberattack Using Calendar Events—A Silent Threat
A Clever Hack Hidden in Plain Sight
Google has exposed a new cybersecurity threat tied to a Chinese state-backed hacking group known as APT41. The group deployed a stealthy malware, called TOUGHPROGRESS, which cleverly masked its activity by using Google Calendar events for secret communications. This means that instead of traditional hacking techniques, the attackers were hiding their operations within normal-looking calendar entries—a shocking development in cyber warfare.
A Disturbing Discovery
In October 2024, Google’s Threat Intelligence Group (GTIG) uncovered this malicious activity on a compromised government website. The hackers used phishing emails to deliver the malware, tricking victims into downloading a ZIP file that appeared to contain harmless insect images. But two of the images were fake—inside was a hidden shortcut file disguised as a PDF. A simple click was enough to trigger the attack.
How the Malware Operated in Secret
Once the victim opened the file, a fake message about exporting species appeared—giving the impression that it was a legitimate document. But in reality, the system was already infected.
The malware used advanced stealth techniques, including: ✔️ Encryption to hide its presence ✔️ Memory-only payloads that avoid detection ✔️ Process obfuscation to disguise malicious activity
Breaking Down the Attack: Key Components
According to Google, the malware worked in three main stages:
🔹 PLUSDROP – A DLL file that decrypts and launches the attack. 🔹 PLUSINJECT – Injects malicious code into a legitimate Windows process (). 🔹 TOUGHPROGRESS – The final malware that communicates with Google Calendar, reading hidden hacker commands.
Google Calendar: A Tool for Cybercrime?
APT41’s use of Google Calendar was ingenious. The hackers created fake calendar events on specific dates, like July 30 and 31, 2023, embedding encrypted commands inside event descriptions.
📌 The malware read these hidden commands. 📌 The infected system executed them. 📌 The malware then sent results back using another calendar event—keeping the entire attack invisible within routine calendar activity.
Google’s Swift Response
Once Google detected the breach, it removed the malicious calendar events and shut down the related Workspace accounts. The company also alerted affected organizations, but the full extent of the attack remains unclear.
APT41 is no stranger to cyber espionage—the group, also known as Wicked Panda, Winnti, and Brass Typhoon, has previously targeted industries like government, technology, logistics, media, and the automotive sector.
Not the First Time—A Growing Pattern
This wasn’t APT41’s first attempt at using Google’s services for cyberattacks. In April 2023, the group deployed Google Command and Control (GC2)—a tool that exploited Google Sheets and Google Drive to execute malicious commands and steal data.
Lessons for Organizations: Stay Vigilant
Google continues to monitor such threats and has tightened its security measures to prevent future breaches. However, this case underscores an alarming trend—hackers are exploiting everyday cloud services to mask their operations.
✅ Organizations must remain alert. ✅ Investing in strong cybersecurity measures is no longer optional—it’s essential.
Cyber threats are evolving rapidly, and staying ahead of attackers is the only way to ensure digital safety.