The malware is called TOUGHPROGRESS and it can exploit Google Calendar

Attention! This new malware may target your Google Calendar data

By Akash Pandey

May 29, 2025

04:44 pm

---

What's the story

The notorious Chinese hacking group APT41, also known as Winnti, Brass Typhoon, and Wicked Panda, is using a new malware called TOUGHPROGRESS to exploit Google Calendar.

The revelation was made by Google's Threat Intelligence Group (GTIG) after the campaign was discovered in October 2024.

The attack targeted several government entities via a compromised government website.

Infection details

Malware's infection process

The TOUGHPROGRESS malware is spread through spear-phishing emails that lead victims to a malicious ZIP archive on a compromised government website.

This archive contains a Windows shortcut file (LNK) disguised as a PDF and a folder of fake images named after arthropod photos.

When the LNK is clicked, it starts a multi-stage infection process involving PLUSDROP, PLUSINJECT, and TOUGHPROGRESS itself.

Operational details

TOUGHPROGRESS's operation and previous misuse

The TOUGHPROGRESS malware operates by using Google Calendar events for data exfiltration and command reception.

It creates and modifies events, including zero-minute ones with embedded data on certain hard-coded dates. These are then polled and executed on the infected host.

This isn't the first time APT41 has misused Google's infrastructure. In 2023, they used Google Drive to deliver a backdoor called Google Command and Control (GC2), which read commands from Google Sheets and exfiltrated data.

Response measures

Google's response and protection tips

In response to the threat, Google has shut down the malicious Calendar and related Workspace projects to neutralize the campaign.

The company has also alerted affected organizations about the breach. However, the full extent of the intrusion remains unknown.

To stay protected from such attacks, users are advised not to open links or attachments from unknown sources and to disable LNK file previews in Windows.

Also, they should use updated antivirus, endpoint detection tools, and regularly monitor cloud service access/permissions.