Reportseverity: High2025-05-28

Google GTIG disrupts APT41 TOUGHPROGRESS Google-Calendar-C2 campaign

published by Google Cloud / Mandiant

Actor

APT41CN · ChinaAPT

Chinese state-affiliated group notable for blending espionage with financially-motivated operations (game-industry currency theft, cryptocurrency). Implicated in multiple software supply-chain compro…

Summary

Google Threat Intelligence Group (Mandiant) documented APT41 (HOODOO) abusing Google Calendar as a covert command-and-control channel for a multi-stage implant family it named TOUGHPROGRESS, delivered via spear-phishing ZIPs hosted on a compromised government website. The lure masqueraded as an export-declaration document and chained a disguised LNK, an image-decoded payload, and a DLL loader. Google disrupted the campaign by fingerprinting and terminating the attacker-controlled Calendars and Workspace projects.

Primary source

cloud.google.com

Other APT41 events

2022-03-08APT41 compromises at least six U.S. state government networks
2020-09-16DOJ indicts five APT41 members for global intrusions
2017-09-18CCleaner supply-chain compromise attributed to APT41

Summary

Tags

Primary source

Other APT41 events