July 14, 2025

How Google Calendar Was Hacked by Chinese Cybercriminals for Espionage?

daksh kataria June 11, 2025 0
Google Calendar logo with headline about Chinese cybercriminals hacking it for espionage
Post Views: 98

How Google Calendar Was Hacked by Chinese Cybercriminals for Espionage?

Google Calendar has been discovered to be an unparalleled way of malware command and control by the highly skilled Chinese state-sponsored cyber threat outfit APT41.  This finding highlights the changing and frequently surprising strategies used by state-backed attackers, as reported in recent research by the US-based cybersecurity firm Resecurity.

Image Shows google Calender Rescurity

APT41, which is also referred to as BARIUM, Wicked Panda, and Brass Typhoon, is well-known for concentrating on both monetarily driven cybercrime and cyber espionage.  Since at least 2012, this group has been active, focusing on a variety of international industries, such as government agencies, software, telecom, and healthcare.

A Hybrid Threat: Espionage Meets Cybercrime

APT41’s distinctive fusion of conventional cyber espionage and cybercrime strategies sets it apart from other threat groups.  In some of its attacks, the organization uses ransomware and bespoke software, demonstrating a flexible and risky operational style.  APT41 is a particularly difficult opponent for cybersecurity defenders because of its hybrid strategy, which enables it to pursue both direct financial gain and strategic intelligence gathering.

The Taiwan Government Website Targeted

According to a recent study by Resecurity, APT41 used Google Calendar to target a website run by the Taiwanese government. This particular effort showcased the group’s ongoing inventiveness in evading security safeguards by utilizing complex delivery techniques and covert malware. In order to assist incident responders and cybersecurity experts in thwarting these threats, Resecurity has disseminated comprehensive technical knowledge and indications of compromise (IOCs).

How the Attack Unfolded: A Step-by-Step Breakdown

This campaign’s original infection chain was cleverly created to trick victims:

Spear-Phishing Initiation Spear-phishing emails were used to launch the attack. The victims were referred to a ZIP archive by these emails.
Compromised Government Website The download appeared legitimate because the infected ZIP file was posted on a hacked government website.
Disguised Malicious Files Victims discovered a Windows shortcut (LNK) file inside the download, which was deceptively presented as a PDF document. There were a number of JPG pictures with it.
Hidden Malicious Payload Specifically, “6.jpg” and “7.jpg,” two of these JPG files, were not real photos. They were included in the malevolent payload.
Decoy PDF and Silent Launch The victim saw a fake PDF when they clicked on the shortcut LNK file. According to this PDF, exporting listed species requires a declaration. At the same time, a covert piece of malware known as ToughProgress quietly started running in the background.

Image Shows How the Attack Unfolded

 

ToughProgress: A Multi-Module Stealth Machine

Each of the three successive modules that make up ToughProgress is built using sophisticated evasion and stealth strategies.  These methods consist of:

In-memory execution Because it operates directly in the computer’s memory, the malware is more difficult to find.
Encryption and compression Obscuring its data and code.
Process hollowing Hiding by infiltrating reputable processes.
Control flow obfuscation Making it challenging to decipher its code.
Google Calendar C2 A new way to communicate command and control.

 

The Three Malicious Components

  1. PLUSDROP: This module uses Rundll32.exe, a genuine Windows tool, to decode “6.jpg” and run it.
  2. PLUSINJECT: Process hollowing is carried out by this part. To avoid detection, it inserts the last payload into a genuine svchost.exe process, which is an essential Windows service.
  3. TOUGHPROGRESS: After installation, ToughProgress starts interacting with Google Calendar events that are under the attacker’s control. This exchange serves as a secret route for command and control (C2).

Execution and Payload Deployment: Deeper Dive

Following Rundll32.exe’s launch, the virus started a convoluted series of actions:

  • In-Memory Decryption: Memory was loaded with the malware’s path. After that, “6.jpg” was opened, and its contents were read into a buffer. The data was decrypted using an XOR-based procedure. This made it possible for the malware to run its payload straight from memory without writing its decoded form to disk and to conceal it inside an apparently innocuous image.
  • Process Environment Block (PEB) Traversal: The malware then walked the list of loaded modules in memory by gaining access to the Process Environment Block (PEB). This method is frequently used to find system DLLs without depending on GetModuleHandle or other API calls that security tools may keep an eye on.
  • Custom Hashing for Obfuscation: The malware obtained the name of each module and used a unique hash function. This function applied a rolling hash, skipped non-printable characters, and transformed characters into an uppercase-like format. After that, the result was masked to 32 bits.
  • Module Matching and Injection: The malware stored the module’s base address and injected the decrypted code into svchost.exe when the hash matched a particular constant (0x1CCA9CE6).

Why Process Hollowing?

According to Resecurity, the malware uses process hollowing, a complex evasion tactic, for a number of reasons:

  • Avoids Suspicious Strings: A hash won’t be flagged by security programs that search for terms like “svchost.exe” or “kernel32.dll.” Automated defenses find it more difficult to identify the harmful behavior as a result.
  • Obfuscation: In order to find the original string, analysts must brute-force and reverse-engineer the hash algorithm, which slows down the process. The attackers gain time in this way.
  • Function Resolution: It enables the malware to inject into trustworthy processes or dynamically resolve essential operations like VirtualAlloc and LoadLibrary.

Targeting the Heart of Windows

The malware did not stop there. It proceeded to target ntoskrnl.exe, the core of the Windows operating system. This calculated effort aimed to map, analyze, and potentially manipulate critical sections of the system. This behavior, buried within a specific function, initiated a complex sequence of memory operations, a hallmark of advanced low-level persistence mechanisms.

The malware actively located and accessed internal structures in a stealthy, dynamic way. It performed pattern matching in the .text section to find non-exported kernel routines. It also mapped physical memory to bypass standard protections and used driver-like memory handling to avoid detection. These techniques are designed for advanced goals like privilege escalation and anti-forensics, making analysis incredibly difficult for reverse engineers, as noted in Resecurity’s findings.

Google Calendar: The Covert Command Center

Resecurity points out that ToughProgress’s unique usage of Google Calendar as a command-and-control (C2) method is what really sets it apart.

Image Shows The Google Calender

 

Stealthy Communication In order to enable secret data communication, the virus creates and modifies events on a Google Calendar under the control of the attacker.
Encrypted Data in Events When ToughProgress is installed, it generates a calendar event, usually from 2023, and includes encrypted, exfiltrated data in the event description.
Remote Command Execution In calendar events, attackers insert encrypted commands. After retrieving these events and decrypting the commands, the virus runs them on the compromised Windows system before uploading the results of the execution to a fresh calendar event.

 

Through this procedure, the threat actors can issue commands and gather data remotely, keeping up a very covert communication channel that is hard to find with conventional network monitoring tools.

Defensive Measures and Future Outlook

Google responded quickly to the TOUGHPROGRESS campaign.  In order to detect and eliminate rogue Google Calendar instances, they created unique detection fingerprints.  Additionally, they turned off campaign-related Workspace projects that were under the control of the attacker.  To further improve user safety, malicious domains and files associated with the attack were added to Safe Browse blocklists.

Resecurity’s thorough analysis highlights this incident, which is an important reminder for both individuals and companies.  Do you carefully examine each attachment and link, even if it seems to be from a reliable source?  How capable are your security systems of identifying and stopping such complex, multi-layered attacks?  Strong, flexible cybersecurity defenses are becoming more and more necessary as APT41 and related organizations continue to change their strategies.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.

Read More:

AI-Driven Threats Increase India’s Cyber Risk Profile: Trend Micro Cyber Risk Report 2025

About Author

daksh kataria

See author's posts

More Stories

Louis Vuitton logo with headline about a cyber attack and UK data breach

Louis Vuitton Hit by a Cyber Attack; UK Customer Data Hacked

daksh kataria July 13, 2025 0
Sticky note with password ‘123456’ on a laptop keyboard, highlighting McDonald’s data breach

AI Hiring Tool Breaches Millions of Data with Password ‘123456’: McDonald’s Data Breach

daksh kataria July 11, 2025 0
Hawaiian Airlines Suffers Cyberattack, Flights Continue Without Disruption

Hawaiian Airlines Hit by a Cyberattack; Flights Unaffected

daksh kataria June 28, 2025 0

Leave a Reply

Your email address will not be published. Required fields are marked *

You may have missed

Louis Vuitton logo with headline about a cyber attack and UK data breach

Louis Vuitton Hit by a Cyber Attack; UK Customer Data Hacked

daksh kataria July 13, 2025 0
High-tech cyber forensics lab with multiple screens, highlighting efforts to tackle cybercrime

New Cyber Forensics Lab to Focus on Cybercriminals

daksh kataria July 13, 2025 0
Handcuffs image with news headline about digital arrest scam involving a retired HC judge

A digital arrest scam was made to extort money from a retired HC Judge

daksh kataria July 13, 2025 0
Fraud Victims Scammed Again in Cyber Fraud Case; One Arrested

Fraud Victims Now Twice Bitten As They Lost Money to ‘Cyber Fraud’, 1 Arrested

daksh kataria July 12, 2025 0
WhatsApp Fake Chats scam leads to ₹2 crore fraud and arrest of two criminals in Bengal

WhatsApp Fake Chats Caused 2 Crore Loss and 2 Criminals Arrested in Bengal

daksh kataria July 12, 2025 0
en_USEnglish
en_USEnglish
Open chat
Hello
Can we help you?