{ "id": "3a0cb5a6-69c7-4f30-ba91-d47dcb3a92a4", "created_at": "2026-04-06T00:06:59.700799Z", "updated_at": "2026-04-10T03:32:20.884255Z", "deleted_at": null, "sha1_hash": "2db1c14fb7f4026db36e4e45deb28ed35451e013", "title": "Mark Your Calendar: APT41 Innovative Tactics", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1415235, "plain_text": "Mark Your Calendar: APT41 Innovative Tactics\r\nBy Google Threat Intelligence Group\r\nPublished: 2025-05-28 · Archived: 2026-04-05 13:40:53 UTC\r\nWritten by: Patrick Whitsell\r\nGoogle Threat Intelligence Group’s (GTIG) mission is to protect Google’s billions of users and Google’s multitude of\r\nproducts and services. In late October 2024, GTIG discovered an exploited government website hosting malware being used\r\nto target multiple other government entities. The exploited site delivered a malware payload, which we have dubbed\r\n“TOUGHPROGRESS”, that took advantage of Google Calendar for command and control (C2). Misuse of cloud services\r\nfor C2 is a technique that many threat actors leverage in order to blend in with legitimate activity. \r\nWe assess with high confidence that this malware is being used by the PRC based actor APT41 (also tracked as HOODOO).\r\nAPT41’s targets span the globe, including governments and organizations within the global shipping and logistics, media\r\nand entertainment, technology, and automotive sectors. \r\nOverview\r\nIn this blog post we analyze the malware delivery methods, technical details of the malware attack chain, discuss other\r\nrecent APT41 activities, and share indicators of compromise (IOCs) to help security practitioners defend against similar\r\nattacks. We also detail how GTIG disrupted this campaign using custom detection signatures, shutting down attacker-controlled infrastructure, and protections added to Safe Browsing.\r\nFigure 1: TOUGHPROGRESS campaign overview\r\nDelivery\r\nAPT41 sent spear phishing emails containing a link to the ZIP archive hosted on the exploited government website. The\r\narchive contains an LNK file, masquerading as a PDF, and a directory. Within this directory we find what looks like seven\r\nJPG images of arthropods. When the payload is executed via the LNK, the LNK is deleted and replaced with a decoy PDF\r\nfile that is displayed to the user indicating these species need to be declared for export.\r\n$ unzip -l 出境海關申報清單.zip\r\n Length Date Time Name\r\n--------- ---------- ----- ----\r\n 0 2024-10-23 11:00 image/\r\n 12633 2024-10-23 10:53 image/1.jpg\r\n 10282 2024-10-23 10:54 image/2.jpg\r\n 8288 2024-10-23 10:54 image/3.jpg\r\n 4174 2024-10-23 10:54 image/4.jpg\r\n 181656 2024-10-23 10:54 image/5.jpg\r\n 997111 2024-10-23 11:00 image/6.jpg\r\n 124928 2024-10-23 11:00 image/7.jpg\r\n 88604 2024-10-23 11:03 申報物品清單.pdf.lnk\r\n--------- -------\r\n 1427676 9 files\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics\r\nPage 1 of 7\n\nThe files “6.jpg” and “7.jpg” are fake images. The first file is actually an encrypted payload and is decrypted by the second\r\nfile, which is a DLL file launched when the target clicks the LNK. \r\nMalware Infection Chain\r\nThis malware has three distinct modules, deployed in series, each with a distinct function. Each module also implements\r\nstealth and evasion techniques, including memory-only payloads, encryption, compression, process hollowing, control flow\r\nobfuscation, and leveraging Google Calendar for C2.\r\n1. PLUSDROP - DLL to decrypt and execute the next stage in memory.\r\n2. PLUSINJECT - Launches and performs process hollowing on a legitimate “svchost.exe” process, injecting the final\r\npayload.\r\n3. TOUGHPROGRESS - Executes actions on the compromised Windows host. Uses Google Calendar for C2. \r\nTOUGHPROGRESS Analysis\r\nTOUGHPROGRESS begins by using a hardcoded 16-byte XOR key to decrypt embedded shellcode stored in the sample’s\r\n“.pdata” region. The shellcode then decompresses a DLL in memory using COMPRESSION_FORMAT_LZNT1. This DLL\r\nlayers multiple obfuscation techniques to obscure the control flow. \r\n1. Register-based Indirect Calls\r\n2. Dynamic Address Arithmetic\r\n3. 64-bit register overflow\r\n4. Function Dispatch Table\r\nThe registered-based indirect call is used after dynamically calculating the address to store in the register. This calculation\r\ninvolves two or more hardcoded values that intentionally overflow the 64-bit register. Here is an example calling\r\nCreateThread.\r\nFigure 2: Register-based indirect call with dynamic address arithmetic and 64-bit overflow\r\nWe can reproduce how this works using Python “ctypes” to simulate 64-bit register arithmetic. Adding the two values\r\ntogether overflows the 64-bit address space and the result is the address of the function to be called.\r\nFigure 3: Demonstration of 64-bit address overflow\r\nFigure 4: CreateThread in Dispatch Table\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics\r\nPage 2 of 7\n\nThese obfuscation techniques manifest as a Control Flow Obfuscation tactic. Due to the indirect calls and arithmetic\r\noperations, the disassembler cannot accurately recreate a control flow graph.\r\nCalendar C2\r\nTOUGHPROGRESS has the capability to read and write events with an attacker-controlled Google Calendar. Once\r\nexecuted, TOUGHPROGRESS creates a zero minute Calendar event at a hardcoded date, 2023-05-30, with data collected\r\nfrom the compromised host being encrypted and written in the Calendar event description. \r\nThe operator places encrypted commands in Calendar events on 2023-07-30 and 2023-07-31, which are predetermined dates\r\nalso hardcoded into the malware. TOUGHPROGRESS then begins polling Calendar for these events. When an event is\r\nretrieved, the event description is decrypted and the command it contains is executed on the compromised host. Results from\r\nthe command execution are encrypted and written back to another Calendar event.\r\nIn collaboration with the Mandiant FLARE team, GTIG reverse engineered the C2 encryption protocol leveraged by\r\nTOUGHPROGRESS. The malware uses a hardcoded 10-byte XOR key and generates a per-message 4-byte XOR key.\r\n1. Compress message with LZNT1\r\n2. Encrypt the message with a 4-byte XOR key\r\n3. Append the 4-byte key at the end of a message header (10 bytes total)\r\n4. Encrypt the header with the 10-byte XOR key\r\n5. Prepend the encrypted header to the front of the message\r\n6. The combined encrypted header and message is the Calendar event description\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics\r\nPage 3 of 7\n\nFigure 5: TOUGHPROGRESS encryption routine for Calendar Event Descriptions\r\nFigure 6: Example of a Calendar event created by TOUGHPROGRESS\r\nDisrupting Attackers to Protect Google, Our Users, and Our Customers\r\nGTIG’s goal is not just to monitor threats, but to counter and disrupt them. At Google, we aim to protect our users and\r\ncustomers at scale by proactively blocking malware campaigns across our products. \r\nTo disrupt APT41 and TOUGHPROGRESS malware, we have developed custom fingerprints to identify and take down\r\nattacker-controlled Calendars. We have also terminated attacker-controlled Workspace projects, effectively dismantling the\r\ninfrastructure that APT41 relied on for this campaign. Additionally, we updated file detections and added malicious domains\r\nand URLs to the Google Safe Browsing blocklist. \r\nIn partnership with Mandiant Consulting, GTIG notified the compromised organizations. We provided the notified\r\norganizations with a sample of TOUGHPROGRESS network traffic logs, and information about the threat actor, to aid with\r\ndetection and incident response.\r\nProtecting Against Ongoing Activity\r\nGTIG has been actively monitoring and protecting against APT41’s attacks using Workspace apps for several years. This\r\nthreat group is known for their creative malware campaigns, sometimes leveraging Workspace apps. \r\nGoogle Cloud’s Office of the CISO published the April 2023 Threat Horizons Report detailing HOODOO’s use of\r\nGoogle Sheets and Google Drive for malware C2.\r\nIn October 2024, Proofpoint published a report attributing the VOLDEMORT malware family to APT41. \r\nThe DUSTTRAP malware family, reported by GTIG and Mandiant in July of 2024, used Public Cloud hosting for\r\nC2.\r\nIn each case, GTIG identified and terminated the attacker-controlled Workspace projects and infrastructure APT41 relied on\r\nfor these campaigns.\r\nFree Web Hosting Infrastructure\r\nSince at least August 2024, we have observed APT41 using free web hosting tools for distributing their malware. This\r\nincludes VOLDEMORT, DUSTTRAP, TOUGHPROGRESS and likely other payloads as well. Links to these free hosting\r\nsites have been sent to hundreds of targets in a variety of geographic locations and industries. \r\nAPT41 has used Cloudflare Worker subdomains the most frequently. However, we have also observed use of InfinityFree\r\nand TryCloudflare. The specific subdomains and URLs here have been observed in previous campaigns, but may no longer\r\nbe in use by APT41.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics\r\nPage 4 of 7\n\nCloudflare Workers\r\nword[.]msapp[.]workers[.]dev \r\ncloud[.]msapp[.]workers[.]dev \r\nTryCloudflare\r\nterm-restore-satisfied-hence[.]trycloudflare[.]com\r\nways-sms-pmc-shareholders[.]trycloudflare[.]com\r\nInfinityFree\r\nresource[.]infinityfreeapp[.]com\r\npubs[.]infinityfreeapp[.]com\r\nAPT41 has also been observed using URL shorteners in their phishing messages. The shortened URL redirects to their\r\nmalware hosted on free hosting app subdomains. \r\nhttps[:]//lihi[.]cc/6dekU\r\nhttps[:]//tinyurl[.]com/hycev3y7\r\nhttps[:]//my5353[.]com/nWyTf\r\nhttps[:]//reurl[.]cc/WNr2Xy\r\nAll domains and URLs in this blog post have been added to the Safe Browsing blocklist. This enables a warning on site\r\naccess and prevents users from downloading the malware. \r\nIndicators of Compromise\r\nThe IOCs in this blog post are also available as a collection in Google Threat Intelligence.\r\nHashes\r\nName Hashes (SHA256 / MD5)\r\n出境海關申報清\r\n單.zip\r\n469b534bec827be03c0823e72e7b4da0b84f53199040705da203986ef154406a\r\n876fb1b0275a653c4210aaf01c2698ec\r\n申報物品清\r\n單.pdf.lnk\r\n3b88b3efbdc86383ee9738c92026b8931ce1c13cd75cd1cda2fa302791c2c4fb\r\n65da1a9026cf171a5a7779bc5ee45fb1\r\n6.jpg\r\n50124174a4ac0d65bf8b6fd66f538829d1589edc73aa7cf36502e57aa5513360\r\n1ca609e207edb211c8b9566ef35043b6\r\n7.jpg\r\n151257e9dfda476cdafd9983266ad3255104d72a66f9265caa8417a5fe1df5d7\r\n2ec4eeeabb8f6c2970dcbffdcdbd60e3\r\nDomains\r\nword[.]msapp[.]workers[.]dev \r\ncloud[.]msapp[.]workers[.]dev \r\nterm-restore-satisfied-hence[.]trycloudflare[.]com\r\nways-sms-pmc-shareholders[.]trycloudflare[.]com\r\nresource[.]infinityfreeapp[.]com \r\npubs[.]infinityfreeapp[.]com\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics\r\nPage 5 of 7\n\nURL Shortener Links\r\nhttps[:]//lihi[.]cc/6dekU\r\nhttps[:]//lihi[.]cc/v3OyQ\r\nhttps[:]//lihi[.]cc/5nlgd\r\nhttps[:]//lihi[.]cc/edcOv\r\nhttps[:]//lihi[.]cc/4z5sh\r\nhttps[:]//tinyurl[.]com/mr42t4yv\r\nhttps[:]//tinyurl[.]com/hycev3y7\r\nhttps[:]//tinyurl[.]com/mpa2c5wj\r\nhttps[:]//tinyurl[.]com/3wnz46pv\r\nhttps[:]//my5353[.]com/ppOH5\r\nhttps[:]//my5353[.]com/nWyTf\r\nhttps[:]//my5353[.]com/fPUcX\r\nhttps[:]//my5353[.]com/ZwEkm\r\nhttps[:]//my5353[.]com/vEWiT\r\nhttps[:]//reurl[.]cc/WNr2Xy\r\nCalendar\r\n104075625139-l53k83pb6jbbc2qbreo4i5a0vepen41j.apps.googleusercontent.com\r\nhttps[:]//www[.]googleapis[.]com/calendar/v3/calendars/ff57964096cadc1a8733cf566b41c9528c89d30edec86326c723932c1e79ebf0@group.cale\r\nYARA Rules\r\nrule G_Backdoor_TOUGHPROGRESS_LNK_1 {\r\nmeta:\r\nauthor = \"GTIG\"\r\ndate_created = \"2025-04-29\"\r\ndate_modified = \"2025-04-29\"\r\nmd5 = \"65da1a9026cf171a5a7779bc5ee45fb1\"\r\nrev = 1\r\nstrings:\r\n$marker = { 4C 00 00 00 }\r\n$str1 = \"rundll32.exe\" ascii wide\r\n$str2 = \".\\\\image\\\\7.jpg,plus\" wide\r\n$str3 = \"%PDF-1\"\r\n$str4 = \"PYL=\"\r\ncondition:\r\n$marker at 0 and all of them\r\n}\r\nrule G_Dropper_PLUSDROP_1 {\r\nmeta:\r\nauthor = \"GTIG\"\r\ndate_created = \"2025-04-29\"\r\ndate_modified = \"2025-04-29\"\r\nmd5 = \"9492022a939d4c727a5fa462590dc0dd\"\r\nrev = 1\r\nstrings:\r\n$decrypt_and_launch_payload = { 48 8B ?? 83 ?? 0F 0F B6 ?? ?? ??\r\n30 04 ?? 48 FF ?? 49 3B ?? 72 ?? 80 [1-5] 00 75 ?? B? 5B 55 D2 56 [0-8] E8\r\n[4-32] 33 ?? 33 ?? FF D? [0-4] FF D? }\r\ncondition:\r\nuint16(0) == 0x5a4d and all of them\r\n}\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics\r\nPage 6 of 7\n\nAdditional YARA Rules\r\nThis is a second dropper used to launch PLUSDROP in another TOUGHPROGRESS campaign.\r\nrule G_Dropper_TOUGHPROGRESS_XML_1 {\r\n meta:\r\n author = \"GTIG\"\r\n description = \"XML lure file used to launch a PLUSDROP dll.\"\r\n md5 = \"dccbb41af2fcf78d56ea3de8f3d1a12c\"\r\n strings:\r\n $str1 = \"System.Convert.FromBase64String\"\r\n $str2 = \"VirtualAlloc\"\r\n $str3 = \".InteropServices.Marshal.Copy\"\r\n $str4 = \".DllImport\"\r\n $str5 = \"kernel32.dll\"\r\n $str6 = \"powrprof.dll\"\r\n $str7 = \".Marshal.GetDelegateForFunctionPointer\"\r\n condition:\r\n uint16(0)!= 0x5A4D and all of them and filesize \u003e 500KB and\r\nfilesize \u003c 5MB\r\n}\r\nPLUSBED is an additional stage observed in other TOUGHPROGRESS campaigns.\r\nrule G_Dropper_PLUSBED_2 {\r\nmeta:\r\nauthor = \"GTIG\"\r\ndate_created = \"2025-04-29\"\r\ndate_modified = \"2025-04-29\"\r\nmd5 = \"39a46d7f1ef9b9a5e40860cd5f646b9d\"\r\nrev = 1\r\nstrings:\r\n$api1 = { BA 54 B8 B9 1A }\r\n$api2 = { BA 78 1F 20 7F }\r\n$api3 = { BA 62 34 89 5E }\r\n$api4 = { BA 65 62 10 4B }\r\n$api5 = { C7 44 24 34 6E 74 64 6C 66 C7 44 24 38 6C 00 FF D0 }\r\ncondition:\r\nuint16(0) != 0x5A4D and all of them\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics" ], "report_names": [ "apt41-innovative-tactics" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434019, "ts_updated_at": 1775791940, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2db1c14fb7f4026db36e4e45deb28ed35451e013.pdf", "text": "https://archive.orkl.eu/2db1c14fb7f4026db36e4e45deb28ed35451e013.txt", "img": "https://archive.orkl.eu/2db1c14fb7f4026db36e4e45deb28ed35451e013.jpg" } }