TZUTC: -0500   
   MSGID: 1164.consprcy@1:2320/105 2c9efad9   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   Chinese hackers use Google Calendar in stealthy new attack   
      
   Date:   
   Thu, 29 May 2025 15:07:00 +0000   
      
   Description:   
   Google Calendar was used as part of the C2 infrastructure, so users should   
   take care.   
      
   FULL STORY   
      
   Chinese state-sponsored hackers known as APT41 have been seen abusing Google   
   Calendar in their newest attacks, using it as part of the C2 infrastructure.    
      
   Googles Threat Intelligence Group (TIG) recently discovered the technique,   
   dismantled the setup, and introduced changes to prevent similar attacks in    
   the future.    
      
   The attack starts from a previously compromised government website - TIG did   
   not explain how the site was compromised, but said it was used to host a .ZIP   
   archive. This archive is then shared, through phishing emails, with potential   
   targets.   
      
   Reading the calendar    
      
   Inside the ZIP are three files: a DLL and executable files posing as JPGs,    
   and a Windows shortcut file (LNK) posing as a PDF document.    
      
   When the victim tries to open the fake PDF, it runs the shortcut which, in   
   turn, activates the DLL.    
      
   This file, in turn, decrypts and launches the third file, which is the   
   malicious payload dubbed ToughProgress.    
      
   The malware then reads additional instructions shared in two specific events   
   in Google Calendar. The commands are found either in the description field,    
   or hidden events.    
      
   To share the results, the malware would create a new zero minute calendar   
   event on May 30, and share the data, encrypted, in the calendar event   
   description.    
      
   Since the malware is never actually installed on the disk, and since the C2   
   communication happens via a legitimate Google service, most security products   
   will have trouble spotting the attack, Google suggests.    
      
   To tackle the threat, TIG developed custom detection signatures to identify   
   and block APT41s malware. It also took down associated Workspace accounts and   
   calendar entries. Furthermore, the team updated file detections and added   
   malicious domains and URLs to the Google Safe Browsing blocklist.    
      
   Google also confirmed that at least a few companies were targeted: In   
   partnership with Mandiant Consulting, GTIG notified the compromised   
   organizations, it said.    
      
   We provided the notified organizations with a sample of TOUGHPROGRESS network   
   traffic logs, and information about the threat actor, to aid with detection   
   and incident response.    
      
   It did not say how many companies were affected.    
      
    Via BleepingComputer   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/chinese-hackers-use-google-calendar-in-   
   stealthy-new-attack   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 114 206 300 307 317 400 426 428   
   SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200   
   SEEN-BY: 396/45 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426