APT41 Targets Governments with New TOUGHPROGRESS Malware Using Google Calendar for C2

APT41 has launched an advanced cyber campaign aimed at multiple government organizations.

This APT group, also known as HOODOO, is a Chinese state-sponsored cyber threat group known for its versatility and persistence. Over the years, the group has targeted a wide range of industries globally, including government, logistics, media, automotive, and technology sectors.

Discovered in late October 2024 by Google’s Threat Intelligence Group (GTIG), their latest campaign centers on a novel use of malware dubbed TOUGHPROGRESS, which leverages Google Calendar as a stealthy Command and Control (C2) channel.

By embedding encrypted commands and data in calendar events, APT41 was able to disguise malicious activity within legitimate cloud service traffic, significantly complicating detection efforts for defenders.

APT41 is notorious for its ability to adapt and repurpose malware tools. It has a track record of blending cyber espionage with financially motivated attacks. Previous campaigns have featured malware families like VOLDEMORT and DUSTTRAP, which also exploited public cloud infrastructure for Command and Control (C2), much like the TOUGHPROGRESS malware uncovered in this recent operation.

What Is the TOUGHPROGRESS Malware?

Google recently identified a sophisticated malware strain named TOUGHPROGRESS. This malware represents the final stage in a complex, multi-part infection chain. What makes it particularly elusive is its use of Google Calendar events for covert communication, a tactic designed to camouflage malicious traffic as routine cloud service activity.

According to Google’s report, the key characteristics of TOUGHPROGRESS include:

• Command execution on the compromised host.
• Data exfiltration, with stolen data hidden inside calendar event descriptions.
• Stealthy delivery, running entirely in memory to avoid file-based detection.
• Advanced evasion techniques, such as encryption, compression, process hollowing, and control flow obfuscation.

By hiding in plain sight, TOUGHPROGRESS makes it difficult for defenders to distinguish between legitimate and malicious cloud usage.

How Does the Attack Work?

APT41 initiated this campaign through spear phishing emails that linked to a ZIP archive hosted on a compromised government website. The ZIP file contained a Windows LNK file disguised as a PDF and a set of JPG images, two of which were actually malicious.

When the victim clicks the LNK file, it triggers a chain reaction:

1. PLUSDROP decrypts and executes the next stage.
2. PLUSINJECT uses process hollowing to inject code into a legitimate svchost.exe process.
3. TOUGHPROGRESS is deployed and begins communicating with attacker-controlled Google Calendar events.

Why Did APT41 Use Google Calendar for C2 Operations?

Using a legitimate cloud service like Google Calendar makes C2 traffic appear normal. TOUGHPROGRESS creates zero minute events with encrypted content embedded in the event descriptions. These contain either system data exfiltrated from the host or attacker commands to be executed.

Specific hardcoded dates such as May 30, July 30, and July 31 were used for event creation and polling. Researchers reverse engineered the encryption routine, revealing a two-layer XOR process with custom keys and compression that helped shield the data from detection.

What Infrastructure Was Involved?

The attackers made extensive use of free web hosting platforms such as:

• Cloudflare Workers(msapp.workers.dev)
• TryCloudflare
• InfinityFree

They also masked malicious links using URL shorteners like TinyURL and reurl.cc, further reducing suspicion.

Once the malware was executed, payloads were run entirely in memory. This method, combined with legitimate-looking C2 traffic, significantly reduced detection rates by endpoint security tools.

SOCRadar’s Brand Protection module is designed to proactively detect and counter phishing operations, malicious hosting, and impersonation threats. By continuously monitoring external risks across domains, social media, and public clouds, the platform enables early intervention and takedown of attacker-controlled assets before they reach your users.

How Did Google Respond?

Google acted swiftly to disrupt the campaign, working with experts to:

• Terminate attacker-controlled Google Calendar and Workspace projects.
• Update Safe Browsing blocklists to prevent user access to malicious domains and file downloads.
• Develop custom detection signatures to identify and shut down associated infrastructure.
• Notify compromised organizations and share TOUGHPROGRESS samples and traffic logs for incident response.

This proactive stance showcases the importance of collaborative cybersecurity efforts between tech companies and threat intelligence groups.

How Can Organizations Protect Themselves?

To guard against campaigns like this:

• Educate users on phishing email detection.
• Monitor cloud service usage for anomalies.
• Use endpoint detection tools that can catch memory-only payloads and process injection techniques.
• Stay updated with threat intelligence feeds and Indicators of Compromise (IOCs).

APT41’s ability to blend espionage with stealthy malware delivery – especially through everyday services like Google Calendar – shows how sophisticated today’s threat actors have become. With SOCRadar’s Cyber Threat Intelligence module, security teams gain real-time visibility into evolving threat actor tactics, tools, and infrastructure.

The platform provides timely, actionable intelligence that helps organizations detect and defend against such campaigns, reducing the risk of undetected breaches.

Indicators of Compromise (IOCs)

Here’s the list of IOCs published by GTIG to help organizations detect and respond to this threat. GTIG will continue to monitor APT41’s evolving tactics and update indicators as needed, so make sure to follow the official research blog here as well.

File Hashes

Malicious Domains 

• word[.]msapp[.]workers[.]dev
• cloud[.]msapp[.]workers[.]dev
• term-restore-satisfied-hence[.]trycloudflare[.]com
• ways-sms-pmc-shareholders[.]trycloudflare[.]com
• resource[.]infinityfreeapp[.]com
• pubs[.]infinityfreeapp[.]com

URL Shorteners Used 

• https[:]//lihi[.]cc/6dekU
• https[:]//lihi[.]cc/v3OyQ
• https[:]//lihi[.]cc/5nlgd
• https[:]//lihi[.]cc/edcOv
• https[:]//lihi[.]cc/4z5sh
• https[:]//tinyurl[.]com/mr42t4yv
• https[:]//tinyurl[.]com/hycev3y7
• https[:]//tinyurl[.]com/mpa2c5wj
• https[:]//tinyurl[.]com/3wnz46pv
• https[:]//my5353[.]com/ppOH5
• https[:]//my5353[.]com/nWyTf
• https[:]//my5353[.]com/fPUcX
• https[:]//my5353[.]com/ZwEkm
• https[:]//my5353[.]com/vEWiT
• https[:]//reurl[.]cc/WNr2Xy

Google Calendar Infrastructure 

• App Client ID: 104075625139-l53k83pb6jbbc2qbreo4i5a0vepen41j.apps.googleusercontent.com 
• Calendar API URL:
  https[:]//www[.]googleapis[.]com/calendar/v3/calendars/ff57964096cadc1a8733cf566b41c9528c89d30edec86326c723932c1e79ebf0@group.calendar.google.com/events

YARA Rules

In addition to the indicators above, GTIG has released YARA detection rules to help security teams identify TOUGHPROGRESS-related artifacts in their environments.

rule G_Backdoor_TOUGHPROGRESS_LNK_1 {
	meta:
		author = "GTIG"
		date_created = "2025-04-29"
		date_modified = "2025-04-29"
		md5 = "65da1a9026cf171a5a7779bc5ee45fb1"
		rev = 1
	strings:
		$marker = { 4C 00 00 00 }
		$str1 = "rundll32.exe" ascii wide
		$str2 = ".image7.jpg,plus" wide
		$str3 = "%PDF-1"
		$str4 = "PYL="
	condition:
		$marker at 0 and all of them
}

rule G_Dropper_PLUSDROP_1 {
	meta:
		author = "GTIG"
		date_created = "2025-04-29"
		date_modified = "2025-04-29"
		md5 = "9492022a939d4c727a5fa462590dc0dd"
		rev = 1
	strings:
		$decrypt_and_launch_payload = { 48 8B ?? 83 ?? 0F 0F B6 ?? ?? ?? 
30 04 ?? 48 FF ?? 49 3B ?? 72 ?? 80 [1-5] 00 75 ?? B? 5B 55 D2 56 [0-8] E8 
[4-32] 33 ?? 33 ?? FF D? [0-4] FF D? }
	condition:
		uint16(0) == 0x5a4d and all of them
}

rule G_Dropper_TOUGHPROGRESS_XML_1 {
    meta:
        author = "GTIG"
        description = "XML lure file used to launch a PLUSDROP dll."
        md5 = "dccbb41af2fcf78d56ea3de8f3d1a12c"
    strings:
        $str1 = "System.Convert.FromBase64String"
        $str2 = "VirtualAlloc"
        $str3 = ".InteropServices.Marshal.Copy"
        $str4 = ".DllImport"
        $str5 = "kernel32.dll"
        $str6 = "powrprof.dll"
        $str7 = ".Marshal.GetDelegateForFunctionPointer"
    condition:
        uint16(0)!= 0x5A4D and all of them and filesize > 500KB and 
filesize < 5MB
}

rule G_Dropper_PLUSBED_2 {
	meta:
		author = "GTIG"
		date_created = "2025-04-29"
		date_modified = "2025-04-29"
		md5 = "39a46d7f1ef9b9a5e40860cd5f646b9d"
		rev = 1
	strings:
		$api1 = { BA 54 B8 B9 1A }
		$api2 = { BA 78 1F 20 7F }
		$api3 = { BA 62 34 89 5E }
		$api4 = { BA 65 62 10 4B }
		$api5 = { C7 44 24 34 6E 74 64 6C 66 C7 44 24 38 6C 00 FF D0 }
	condition:
		uint16(0) != 0x5A4D and all of them
}