Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 17:27:37 UTC
Home > List all groups > List all tools > List all groups using tool CALENDAR
 Tool: CALENDAR
Names CALENDAR
Category Malware
Type Backdoor
Description
This family of malware uses Google Calendar to retrieve commands and send results. It
retrieves event feeds associated with Google Calendar, where each event contains
commands from the attacker for the malware to perform. Results are posted back to the
event feed. The malware authenticates with Google using the hard coded email address
and passwords. The malware uses the deprecated ClientLogin authentication API from
Google. The malware is registered as a service dll as a persistence mechanism. Artifacts
of this may be found in the registry.
Information
MITRE ATT&CK Last change to this tool card: 22 April 2020
Download this tool card in JSON format
All groups using tool CALENDAR
Changed Name Country Observed
APT groups
 Comment Crew, APT 1 2006-May 2018
1 group listed (1 APT, 0 other, 0 unknown)
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8654f906-6d71-4f2d-af7a-fc5f49e8afc2
Page 1 of 2

Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8654f906-6d71-4f2d-af7a-fc5f49e8afc2
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=8654f906-6d71-4f2d-af7a-fc5f49e8afc2
Page 2 of 2