Full Report
Google on Wednesday disclosed that the Chinese state-sponsored threat actor known as APT41 leveraged a malware called TOUGHPROGRESS that uses Google Calendar for command-and-control (C2). The tech giant, which discovered the activity in late October 2024, said the malware was hosted on a compromised government website and was used to target multiple other government entities. "Misuse of cloud
Analysis Summary
# Threat Actor: APT41
## Attribution & Identity
**Identification:** Chinese state-sponsored threat actor.
**Aliases and Associated Groups:** Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, Earth Baku, HOODOO, Red Kelpie, TA415, Wicked Panda, and Winnti.
## Activity Summary
Google disclosed activity dating back to late October 2024, where APT41 leveraged malware named **TOUGHPROGRESS** utilizing **Google Calendar for Command-and-Control (C2)**. This specific instance targeted multiple government entities using malware hosted on a compromised government website.
**Historical Campaigns:**
* **July 2024:** Targeted shipping/logistics, media/entertainment, technology, and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. using ANTSWORD, BLUEBEAM, DUSTPAN, and DUSTTRAP.
* **March 2024 (RevivalStone):** A sub-cluster targeted Japanese companies in the manufacturing, materials, and energy sectors.
* **April 2023:** Targeted an unnamed Taiwanese media organization using a Go-based open-source red teaming tool called Google Command and Control (GC2) delivered via Google Drive and Google Sheets for C2 and data exfiltration.
## Tactics, Techniques & Procedures
The recent infection chain involved:
* Spear-phishing emails containing a link to a ZIP archive hosted on an exploited government website.
* The ZIP archive contained a Windows shortcut (LNK) file masquerading as a PDF, alongside several image files (arthropod pictures: "1.jpg" through "7.jpg").
* Launching the LNK file presented a decoy PDF to the user while executing the payload.
* The infection begins when the LNK file is launched, leading to the decryption and execution of a payload stored in one of the otherwise benign-looking image files ("6.jpg" or "7.jpg" are fake images).
* **PLUSDROP:** A DLL used to decrypt and execute the next-stage in memory.
* **PLUSINJECT:** Launches and performs process hollowing on a legitimate `svchost.exe` process to inject the final payload. **[MITRE ATT&CK ID: T1055/012]**
* **Stealth and Evasion:** Memory-only payloads, encryption, compression, and control flow obfuscation.
* **C2 Mechanism (TOUGHPROGRESS):** The primary malware component reads and writes events on an attacker-controlled Google Calendar to store harvested data in event descriptions and receive encrypted commands.
## Targeting
**Sectors:** Global shipping and logistics, media and entertainment, technology, automotive, manufacturing, materials, and energy sectors.
**Geography:** Italy, Spain, Taiwan, Thailand, Turkey, U.K., and Japan.
**Victims:** Multiple government entities (latest campaign); unnamed Taiwanese media organization (April 2023).
## Tools & Infrastructure
**Malware families used:** TOUGHPROGRESS, ANTSWORD, BLUEBEAM, DUSTPAN, DUSTTRAP, GC2 (Go-based open-source red teaming tool).
**Infrastructure:**
* Uses Google Calendar for command and control.
* Used password-protected files hosted on Google Drive.
* Used Google Sheets for command delivery (via GC2).
* Malware payload hosted on a compromised government website.
## Implications
APT41 continues to demonstrate innovation in employing legitimate, widely used cloud services (Google Calendar, Google Drive, Google Sheets) for covert C2 and data exfiltration, significantly complicating detection as their traffic blends with normal user activity. Their consistent targeting of critical infrastructure and specific national entities underscores their role as a persistent, financially and politically motivated, nation-state threat actor.
## Mitigations
* Monitor for unusual activity involving Google Calendar and Sheets (reading/writing events, unusual file activity associated with these services).
* Implement strong defenses against spear-phishing, particularly attachments disguised as non-executable documents (e.g., LNK files masquerading as PDFs).
* Employ application allow-listing or sandbox environments for examining suspicious LNK files.
* Monitor for process hollowing activity targeting legitimate system binaries like `svchost.exe`.
* Regularly review and audit legitimate cloud service usage by threat actors.