Technologist Mag
  • Home
  • Tech News
  • AI
  • Apps
  • Gadgets
  • Gaming
  • Guides
  • Laptops
  • Mobiles
  • Wearables
  • More
    • Web Stories
    • Trending
    • Press Release

Subscribe to Updates

Get the latest tech news and updates directly to your inbox.

What's On

Moto G96 5G India Launch Date Set for July 9; Colour Options, Key Features Revealed

1 July 2025

Pixel 10 Pro, Pixel 10 Pro XL Full Specifications Leaked; Said to Get Larger Batteries, Faster Charging

1 July 2025

Samsung One UI 8 Watch Beta for Galaxy Watch 7, Watch Ultra Reportedly Rolling Out

1 July 2025

Apple’s iOS 26 Update Won’t Offer Some Features in the EU at Launch: Report

1 July 2025

Samsung Galaxy S25 Series One UI 8 Beta 3 With Bug Fixes Reportedly Live in the UK, Other Markets

1 July 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram
Technologist Mag
SUBSCRIBE
  • Home
  • Tech News
  • AI
  • Apps
  • Gadgets
  • Gaming
  • Guides
  • Laptops
  • Mobiles
  • Wearables
  • More
    • Web Stories
    • Trending
    • Press Release
Technologist Mag
Home » Google Shuts Down Malware That Leveraged Google Calendar to Steal Data
Apps

Google Shuts Down Malware That Leveraged Google Calendar to Steal Data

By technologistmag.com30 May 20254 Mins Read
Share
Facebook Twitter Reddit Telegram Pinterest Email

Google Calendar was being used as a communication channel by a group of hackers to extract sensitive information from individuals, according to the Google Threat Intelligence Group (GTIG). The tech giant’s cybersecurity division discovered a compromised government website in October 2024 and found that malware was being spread using it. Once the malware infected a device, it would create a backdoor using Google Calendar and allow the operator to extract data. GTIG has already taken down the calendar accounts and other systems that were being used by the hackers.

Google Calendar Used By China-Linked Hackers for Command and Control (C2) Channel

GTIG detailed the delivery method of the malware, how it functioned, and the measures taken by Google’s team to protect users and its product. The hacker associated with this attack is said to be APT41, also known as HOODOO, a threat group believed to be linked to the Chinese government.

An investigation by GTIG revealed that APT41 used a spear phishing method to deliver malware to targets. Spear phishing is a targeted form of phishing where attackers personalise emails to specific individuals. 

These emails contained a link to a ZIP archive that was hosted on the compromised government website. When an unsuspecting person opened the archive, it showed a shortcut LNK file (.lnk), which was disguised to appear like a PDF, as well as a folder.

Overview of how the malware functioned
Photo Credit: GTIG

 

This folder contained seven JPG images of arthropods (insects, spiders, etc.). GTIG highlighted that the sixth and seventh entries, however, are decoys that actually contain an encrypted payload and a dynamic link library (DLL) file that decrypts the payload. 

When the target clicks the LNK file, it triggers both files. Interestingly, the LNK file also automatically deletes itself and is replaced with a fake PDF, which is shown to the user. This file mentions that the species shown need to be declared for export, likely to mask the hacking attempt and to avoid raising suspicion.

Once the malware has infected a device, it operates in three different stages, where each stage carries out a task in sequence. GTIG highlighted that all three sequences are executed using various stealth techniques to avoid detection. 

The first stage decrypts and runs a DLL file named PLUSDROP directly in memory. The second stage launches a legitimate Windows process and performs process hollowing — a technique used by attackers to run malicious code under the guise of a legitimate process — to inject the final payload.

The final payload, TOUGHPROGRESS, executes malicious tasks on the device and communicates with the attacker via Google Calendar. It uses the cloud-based app as a communication channel via command and control (C2) technique. 

The malware adds a zero-minute calendar event on a hardcoded date (May 30, 2023), which stores encrypted data from the compromised computer in the event’s description field.

It also creates two other events on hardcoded dates (July 30 and 31, 2023), which gives the attacker a backdoor to communicate with the malware. TOUGHPROGRESS regularly scans the calendar for these two events. 

When the attacker sends an encrypted command, it decrypts it and executes the command. Then, it sends back the result by creating another zero-minute event with the encrypted output.

To disrupt the malware campaign, GTIG created custom detection methods that identify and remove APT41’s Google Calendar accounts. The team also shut down the attacker-controlled Google Workspace projects, effectively disabling the infrastructure that was used in the operation. 

Additionally, the tech giant also updated its malware detection systems and blocked the malicious domains and URLs using Google Safe Browsing.

GTIG has also notified affected organisations, and provided them with samples of the malware’s network traffic and details about the threat actor to help with detection, investigation, and response efforts.

Share. Facebook Twitter Pinterest LinkedIn Telegram Reddit Email
Previous ArticleOppo Find N3 – Price in India, Specifications, Comparison (30th May 2025)
Next Article Tecno Spark Go (2023) – Price in India, Specifications, Comparison (30th May 2025)

Related Articles

Facebook Reportedly Asking Users Access to Private Media in Camera Roll for Meta AI Features

30 June 2025

WhatsApp for iOS Said to Be Testing Feature Which Lets You Switch Between Multiple Accounts

30 June 2025

Gmail’s Web Client Gets Manage Subscriptions Page; ‘Mark as Read’ Reportedly Rolling Out to Android Users

30 June 2025

Apple to Expand Swift Language Support to Android; Sets Up Android Working Group

27 June 2025

Canva Launches Deep Research Connector with ChatGPT, Introduces New Open MCP Server

27 June 2025

YouTube Introduces AI-Powered Search Results Carousel, Shows a Snapshot of Suggested Videos

27 June 2025
Stay In Touch
  • Facebook
  • Twitter
  • Pinterest
  • Instagram
  • YouTube
  • Vimeo

Subscribe to Updates

Get the latest tech news and updates directly to your inbox.

Don't Miss

Pixel 10 Pro, Pixel 10 Pro XL Full Specifications Leaked; Said to Get Larger Batteries, Faster Charging

By technologistmag.com1 July 2025

Google’s Pixel 10 series is likely to be unveiled in August. While the launch date…

Samsung One UI 8 Watch Beta for Galaxy Watch 7, Watch Ultra Reportedly Rolling Out

1 July 2025

Apple’s iOS 26 Update Won’t Offer Some Features in the EU at Launch: Report

1 July 2025

Samsung Galaxy S25 Series One UI 8 Beta 3 With Bug Fixes Reportedly Live in the UK, Other Markets

1 July 2025

Apple to Launch a ‘More Affordable’ MacBook With a 13-inch Screen, A18 Pro SoC: Report

1 July 2025
Technologist Mag
Facebook X (Twitter) Instagram Pinterest
  • Privacy
  • Terms
  • Advertise
  • Contact
© 2025 Technologist Mag. All Rights Reserved.

Type above and press Enter to search. Press Esc to cancel.