Skip to main content
close search
site logo
Dive Brief

Google: China-backed hackers hiding malware in calendar events

The APT41 nation-state threat group is exploiting yet another cloud service to mask its operations, according to new research.

Published May 29, 2025
Eric Geller's headshot
Senior Reporter
An illustration of a calendar, with a mouse cursor clicking on a day
iStock / Getty Images Plus via Getty Images
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • In October, Google’s Threat Intelligence Group spotted Chinese government hackers from APT41 deploying malware that abused Google Calendar to steal data and execute operations on compromised devices.
  • The malware embedded stolen data in calendar events, and the attackers used other calendar events to deploy instructions to the hacked computers.
  • Google’s new findings underscore how elite cyber threat groups are getting more creative and how even highly secure cloud platforms are not impervious to these malicious operations.

Dive Insight:

Google discovered a malware variant it dubbed “ToughProgress” that uses Google Calendar as a command-and-control (C2) server, a novel way of establishing a communications link between APT41’s infrastructure and compromised devices that is both reliable and innocuous.

“Once executed, TOUGHPROGRESS creates a zero minute Calendar event at a hardcoded date, 2023-05-30, with data collected from the compromised host being encrypted and written in the Calendar event description,” Google researchers wrote.

“The operator places encrypted commands in Calendar events on 2023-07-30 and 2023-07-31, which are predetermined dates also hardcoded into the malware,” the researchers explained. “TOUGHPROGRESS then begins polling Calendar for these events. When an event is retrieved, the event description is decrypted and the command it contains is executed on the compromised host. Results from the command execution are encrypted and written back to another Calendar event.”

ToughProgress isn’t the first malware strain to exploit cloud services for C2 infrastructure. “Misuse of cloud services for C2 is a technique that many threat actors leverage in order to blend in with legitimate activity,” Google researchers wrote, pointing to similar episodes involving Microsoft, Dropbox and even Instagram.

The continued abuse of legitimate, high-profile cloud services presents a major challenge for security teams, which must monitor not only for suspicious connections (such as visits to malicious websites) but also nefarious activity occurring over legitimate connections.

The Chinese state-backed group APT41 is one of Beijing’s premier hacking teams. The group has used free services to host their payloads since at least last August, according to Google researchers, who observed the group sending links to these payloads “to hundreds of targets in a variety of geographic locations and industries.” APT41 is particularly fond of Cloudflare Worker web domains, according to the researchers.

Editors' picks

Company Announcements

View all | Post a press release
Fraud on the Rise: Highway Blocks 400,000 Scams in Q1 2025
From Highway
May 19, 2025
Highway logo
Bitcoin Tops $104K as Cloud Mining Gains Momentum — JA Mining Offers Regulated Entry Point and…
From JAMining
May 17, 2025
JAMining logo

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.