APT41, a Chinese state-sponsored threat actor, has targeted government entities using malware that exploits Google Calendar for command-and-control operations. Google effectively disrupted their infrastructure by identifying, takedown, and alerting organizations about these malicious activities. #APT41 #ToughProgress
Keypoints
- APT41 targeted government agencies with malware leveraging Google Calendar for command and control.
- The attack involved phishing emails with ZIP archives containing malicious LNK files that trigger malware execution.
- The malware, ToughProgress, uses Calendar events to receive commands and send back execution results through encrypted data.
- Google developed custom detection methods and disrupted APT41’s Calendar-based infrastructure.
- Since August 2024, APT41 has been distributing malware via free web hosting services, targeting hundreds of entities.
Google also used the Safe Browsing blocklist, notified impacted organizations, and shared traffic logs for remediation.