APT41 Turns Google Calendar Into a Covert C2 Channel With TOUGHPROGRESS Malware

RedSheep Reports | March 23, 2026

Google's Threat Intelligence Group confirmed with high confidence that APT41, a Chinese state-sponsored threat group, weaponized Google Calendar as command-and-control infrastructure to target multiple government entities [4]. The campaign was discovered by Google in late October 2024 but not publicly disclosed until May 2025. It deployed a previously unknown malware strain called TOUGHPROGRESS that hides C2 communications inside calendar event fields, making malicious traffic indistinguishable from normal Google API usage [1]. Google has since terminated the malicious calendars and associated Workspace projects [2], but the technique fits into a broader and accelerating pattern: Chinese threat actors are systematically colonizing trusted cloud services to run espionage operations.

This is not an isolated technique. APT41 has been running parallel campaigns abusing Google Sheets, Google Drive, and Microsoft OneDrive for C2 and data exfiltration [7]. A separate Chinese threat group, UNC2814, compromised 53 victims across 42 countries using Google Sheets API calls for C2 in a campaign Google tracks as GRIDTIDE [5]. The 2026 Cloudflare Threat Report explicitly calls out this trend, noting that the era of brute force entry is fading, replaced by high-trust exploitation of legitimate cloud ecosystems [8].

APT41: The Group Behind the Campaign

APT41, also tracked as Double Dragon, Wicked Panda, and Winnti, operates differently from other Chinese threat actors [2]. The group conducts both state-directed espionage and financially motivated operations, a dual mandate that gives it unusually broad targeting [7]. APT41 is notable for using non-public malware families rather than relying solely on shared Chinese APT tooling [7].

The group's track record stretches back years. In 2023, Google reported APT41's use of Google services for C2 operations [2]. By mid-2024, APT41 was running the DUSTTRAP campaign, targeting organizations in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom using stolen code signing certificates from a South Korean gaming company [7]. That same campaign used PINEGROVE, a command-line tool that exfiltrated stolen data to Microsoft OneDrive [7]. In August 2024, Proofpoint attributed the VOLDEMORT malware campaign to APT41 (tracked by Proofpoint as TA415), which sent over 20,000 messages impersonating tax authorities to more than 70 organizations globally, using Google Sheets for C2 [6].

APT41 has also been using free web hosting services since August 2024 for malware distribution, lowering operational costs while maintaining disposability [1].

The TOUGHPROGRESS Infection Chain

The TOUGHPROGRESS campaign uses a three-stage infection chain: PLUSDROP, PLUSINJECT, and TOUGHPROGRESS [1].

Initial Access and Delivery

Victims received a malicious ZIP archive named 出境海關申報清單.zip ("Export Customs Declaration List"), crafted to target Chinese-speaking government personnel [3]. Inside the archive, an LNK file masqueraded as a PDF document. The archive also contained arthropod images that served as decoy content, a social engineering choice designed to make the file appear benign during casual inspection [3].

Stage 1: PLUSDROP

PLUSDROP is the first-stage DLL loader [1]. It initiates the infection chain by loading the next payload into memory. Disguised payload files named 6.jpg and 7.jpg contain encrypted PE headers, hiding executable content behind innocuous file extensions [1].

Stage 2: PLUSINJECT

PLUSINJECT handles process injection, placing the final payload into a legitimate process to evade endpoint detection [1]. This memory-resident approach is consistent with APT41's broader preference for minimal forensic traces, as seen in the DUSTTRAP framework which also uses memory-only execution [7].

Stage 3: TOUGHPROGRESS and Calendar C2

TOUGHPROGRESS is the final payload and the component that communicates with Google Calendar [1]. The malware creates zero-minute calendar events at a hardcoded date of 2023-05-30, effectively using past dates to avoid showing up in a user's active calendar view [1]. Commands from the operators are placed in calendar events on hardcoded dates 2023-07-30 and 2023-07-31 [1].

The C2 communication works through the Google Calendar API. TOUGHPROGRESS polls specific calendar events, extracts encoded instructions from event fields, executes them, and writes results back to the calendar. The malware uses a hardcoded 10-byte XOR key and generates a per-message 4-byte XOR key for encryption, and compresses data with LZNT1 compression [1].

Because all traffic flows as HTTPS requests to googleapis.com, network monitoring tools see standard Google Calendar API calls. There's no anomalous destination IP, no suspicious domain, and no unusual protocol.

The Broader Cloud C2 Ecosystem

APT41's Google Calendar abuse is one node in a much larger pattern of Chinese threat actors embedding C2 inside trusted SaaS platforms.

GRIDTIDE and UNC2814: Google tracks UNC2814 as a separate Chinese threat actor, active since 2017, responsible for the GRIDTIDE campaign that impacted 53 victims in 42 countries across four continents [5]. GRIDTIDE malware uses the Google Sheets API for C2 and encrypts configuration data with AES-128 CBC [5]. Google noted no overlap between UNC2814 and Salt Typhoon activity [5].

VOLDEMORT and TA415: The VOLDEMORT backdoor, written in C, also uses Google Sheets for C2 [6]. Proofpoint attributed this campaign to TA415 (their designation for APT41), which began on August 5, 2024 [6].

DUSTTRAP: APT41's multi-stage plugin framework uses AES-128-CFB encryption and was paired with DUSTPAN (a dropper for BEACON backdoor) and PINEGROVE (for OneDrive exfiltration) [7].

The Cloudflare 2026 Threat Report confirms this as a macro-level trend, identifying attackers using Google Drive, Microsoft Teams, and Amazon S3 to mask C2 traffic [8]. Salt Typhoon, another Chinese threat group, has been targeting North American telecommunications through similar high-trust exploitation methods [8].

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting

Google Calendar API Monitoring: The core detection challenge is that TOUGHPROGRESS traffic is legitimate HTTPS to Google's API endpoints. Organizations that don't use Google Workspace should flag any Calendar API traffic as suspicious by default. Organizations that do use Google Workspace should baseline Calendar API call patterns per user and alert on anomalies.

Specific indicators to hunt for:

• Calendar events created on past dates: TOUGHPROGRESS creates events on hardcoded dates in 2023 [1]. Calendar events consistently created months or years in the past, especially from service accounts or endpoints not associated with human users, warrant investigation.
• Zero-duration events: The malware creates zero-minute events [1]. While some legitimate calendar integrations do this, a sudden appearance of zero-minute events on historical dates from a specific endpoint is abnormal.
• LNK files in ZIP archives: The delivery mechanism uses a ZIP containing an LNK file disguised as a PDF [3]. Email gateways and endpoint detection should flag LNK files inside compressed archives, especially those with Chinese-language filenames.
• DLL sideloading and .jpg payloads: Look for processes loading files named 6.jpg or 7.jpg as executable content [1]. Any image file extension being loaded as a PE or DLL is a strong signal.
• LZNT1 compression in network streams: While encrypted, the use of LZNT1 compression is somewhat distinctive [1]. Memory forensics on suspected compromised hosts should look for LZNT1-compressed buffers associated with Google API traffic.

SIEM/EDR Queries:

• Hunt for googleapis.com/calendar/v3 in proxy or DNS logs from endpoints that don't normally interact with Google Calendar.
• Monitor for processes making repeated HTTP calls to Google APIs at fixed intervals (beacon behavior).
• Alert on compressed or encrypted LNK files delivered via email with Chinese-language filenames.

Analysis

APT41's shift toward cloud-native C2 reflects a calculated response to improvements in network detection. Traditional C2 infrastructure (dedicated servers, dynamic DNS, custom protocols) leaves artifacts that modern NDR platforms catch reliably. Google Calendar API calls leave almost none.

The three-stage infection chain (PLUSDROP, PLUSINJECT, TOUGHPROGRESS) demonstrates operational maturity. Each component has a single responsibility, which limits exposure during incident response: compromising one stage doesn't necessarily reveal the others.

APT41 running multiple parallel campaigns (TOUGHPROGRESS, VOLDEMORT, DUSTTRAP) with different C2 backends (Google Calendar, Google Sheets, Microsoft OneDrive) indicates the group treats cloud service abuse as a core operational capability, not an experiment. The existence of UNC2814's GRIDTIDE campaign, using the same Google Sheets C2 concept but tracked as a separate actor impacting 53 victims in 42 countries [5], suggests this tradecraft is spreading across Chinese cyber operations more broadly.

Google's decision to terminate the malicious calendars and Workspace projects [2] demonstrates that cloud provider intervention can disrupt these operations. But the ease with which new Google accounts and calendars can be created limits the long-term effectiveness of takedowns.

References

1. Mark Your Calendar: APT41 Innovative Tactics
2. Chinese APT41 Exploits Google Calendar for Malware Command-and-Control Operations
3. APT41 Uses Google Calendar Events for C2
4. Chinese hackers used Google Calendar to aid attacks on government entities
5. Disrupting the GRIDTIDE Global Cyber Espionage Campaign
6. New Voldemort Malware Espionage Campaign
7. APT41 Has Arisen From the DUST
8. Introducing the 2026 Cloudflare Threat Report

Hunt Guide: Hunt Report: APT41 TOUGHPROGRESS Google Calendar C2

Hypothesis: If APT41's TOUGHPROGRESS malware is active in our environment, we expect to observe Google Calendar API calls to create zero-minute events on historical dates, LNK-in-ZIP email attachments with Chinese filenames, and processes loading image files (.jpg) as executables in Sysmon, proxy, and email gateway logs.

Intelligence Summary: APT41 weaponized Google Calendar as command-and-control infrastructure using TOUGHPROGRESS malware that creates zero-minute calendar events on hardcoded historical dates (2023-05-30, 2023-07-30, 2023-07-31) to hide C2 communications in legitimate Google API traffic. The three-stage infection chain (PLUSDROP, PLUSINJECT, TOUGHPROGRESS) begins with LNK files in ZIP archives using Chinese-language filenames and loads disguised payload files named 6.jpg and 7.jpg.

Confidence: High | Priority: Critical

Scope

• Networks: All enterprise networks with focus on government entities and users with access to sensitive data. Prioritize non-Google Workspace environments where ANY googleapis.com traffic is suspicious.
• Timeframe: Initial sweep: 90 days retroactive to catch hardcoded dates. Ongoing: Real-time detection with 24-hour aggregation windows for behavioral analysis.
• Priority Systems: Government workstations, executive endpoints, systems with access to export control data, any endpoint making Google API calls without Workspace licensing

MITRE ATT&CK Techniques

T1102.002 — Web Service - Bidirectional Communication (Command and Control) [P1]

TOUGHPROGRESS uses Google Calendar API to create zero-minute events on hardcoded historical dates for C2 communication, polling specific calendar events and writing results back

Splunk SPL:

index=proxy OR index=dns dest="*.googleapis.com" uri_path="/calendar/v3/*" | stats count by src_ip, dest, uri_path, user_agent | where count > 10 | eval suspicious=if(match(uri_path, "(2023-05-30|2023-07-30|2023-07-31)"), "High", "Medium")

Elastic KQL:

destination.domain:"googleapis.com" AND url.path:"/calendar/v3/*" AND (url.path:*2023-05-30* OR url.path:*2023-07-30* OR url.path:*2023-07-31*)

Sigma Rule:

title: APT41 TOUGHPROGRESS Google Calendar C2
id: a7b2f3e4-8c9d-4e5f-b6a7-9c8d7e6f5a4b
status: experimental
logsource:
  category: proxy
detection:
  selection:
    c-uri|contains:
      - 'googleapis.com/calendar/v3'
      - '2023-05-30'
      - '2023-07-30'
      - '2023-07-31'
  condition: selection
falsepositives:
  - Legitimate calendar applications accessing historical dates
level: high

Focus on endpoints without Google Workspace licenses. Baseline normal Calendar API usage patterns per user. Alert on fixed-interval beaconing to Calendar API endpoints.

T1055 — Process Injection (Defense Evasion) [P1]

PLUSINJECT component injects TOUGHPROGRESS payload into legitimate processes for memory-resident execution

Splunk SPL:

index=windows sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=8 | join type=inner ProcessId [search index=windows EventCode=1 (Image="*\\6.jpg" OR Image="*\\7.jpg" OR CommandLine="*6.jpg*" OR CommandLine="*7.jpg*")] | table _time, SourceImage, TargetImage, TargetProcessId

Elastic KQL:

event.code:8 AND (process.executable:*\\6.jpg OR process.executable:*\\7.jpg OR process.command_line:*6.jpg* OR process.command_line:*7.jpg*)

Sigma Rule:

title: TOUGHPROGRESS Process Injection from Image Files
id: b8c3d4e5-9f0a-5f6b-c7b8-0d9e8f7g6b5c
status: experimental
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 8
  filter:
    SourceImage|endswith:
      - '\6.jpg'
      - '\7.jpg'
  condition: selection and filter
level: critical

Monitor for CreateRemoteThread events where source process loaded .jpg files. Cross-reference with network connections to Google APIs.

T1036.005 — Match Legitimate Name or Location (Defense Evasion) [P2]

Payload files disguised as images (6.jpg, 7.jpg) contain encrypted PE headers; LNK files masquerade as PDFs in ZIP archives

Splunk SPL:

index=windows sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational (EventCode=1 OR EventCode=7) (ImageLoaded="*\\6.jpg" OR ImageLoaded="*\\7.jpg" OR Image="*\\6.jpg" OR Image="*\\7.jpg") | eval suspicious=if(match(ImageLoaded, "\.(jpg|jpeg)$") AND NOT match(ImageLoaded, "(photo|image|picture)"), 1, 0) | where suspicious=1

Elastic KQL:

(event.code:1 OR event.code:7) AND (process.executable:*\\6.jpg OR process.executable:*\\7.jpg OR file.path:*\\6.jpg OR file.path:*\\7.jpg)

Alert on any .jpg file being loaded as an executable or DLL. Legitimate image viewers will show different load patterns.

T1027 — Obfuscated Files or Information (Defense Evasion) [P3]

TOUGHPROGRESS uses 10-byte XOR key, per-message 4-byte XOR key, and LZNT1 compression for C2 data; payloads hidden in fake image files

Splunk SPL:

index=edr process_name=* | eval hex_pattern=if(match(process_commandline, "[0-9a-fA-F]{20,}"), 1, 0) | where hex_pattern=1 | join type=inner host [search index=proxy dest="*googleapis.com*"] | table _time, host, process_name, process_commandline

Elastic KQL:

process.command_line:/[0-9a-fA-F]{20,}/ AND destination.domain:googleapis.com

Look for LZNT1 compression signatures in memory dumps associated with processes making Google API calls. XOR patterns may be visible in network captures.

T1566.001 — Spearphishing Attachment (Initial Access) [P1]

Malicious ZIP archive '出境海關申報清單.zip' containing LNK file masquerading as PDF with arthropod decoy images

Splunk SPL:

index=email sourcetype=exchange (attachment_name="*.zip" AND (attachment_hash=* OR file_name="*出境海關申報清單*" OR file_name="*Export Customs Declaration List*")) | eval has_lnk=if(match(attachment_content, "\.lnk"), 1, 0) | where has_lnk=1 | table _time, sender, recipient, subject, attachment_name

Elastic KQL:

email.attachments.file.name:*.zip AND (email.attachments.file.name:*出境海關申報清單* OR email.attachments.file.name:*Export*Customs*Declaration*List*)

Chinese language filenames in ZIP archives are high-risk. Any LNK file in a ZIP should trigger immediate analysis.

T1567.002 — Exfiltration to Cloud Storage (Exfiltration) [P2]

PINEGROVE tool exfiltrates data to Microsoft OneDrive; parallel campaigns use Google Drive for data theft

Splunk SPL:

index=proxy (dest="*onedrive.live.com*" OR dest="*sharepoint.com*" OR dest="*drive.google.com*") http_method=POST bytes_out>1000000 | bucket span=1h _time | stats sum(bytes_out) as total_bytes by _time, src_ip, dest | where total_bytes>10000000

Elastic KQL:

(destination.domain:onedrive.live.com OR destination.domain:sharepoint.com OR destination.domain:drive.google.com) AND http.request.method:POST AND http.request.bytes:[1000000 TO *]

Baseline normal OneDrive/Drive usage. Alert on unusual upload volumes or patterns, especially from service accounts or servers.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=proxy dest="www.googleapis.com" uri_path="/calendar/v3/calendars/*@group.calendar.google.com/events" | stats count by src_ip, dest, uri_path | sort -count

index=* (filename="6.jpg" OR file_name="6.jpg" OR Image="*\\6.jpg" OR ImageLoaded="*\\6.jpg" OR process_name="6.jpg") | dedup host | table _time, host, user, file_path, process_name

index=* (filename="7.jpg" OR file_name="7.jpg" OR Image="*\\7.jpg" OR ImageLoaded="*\\7.jpg" OR process_name="7.jpg") | dedup host | table _time, host, user, file_path, process_name

index=* (filename="出境海關申報清單.zip" OR file_name="出境海關申報清單.zip" OR attachment_name="出境海關申報清單.zip") | table _time, host, user, file_path, sender, recipient

YARA Rules

APT41_TOUGHPROGRESS_Payload_JPG — Detects disguised PE files masquerading as JPG images (6.jpg, 7.jpg) with encrypted headers

rule APT41_TOUGHPROGRESS_Payload_JPG {
    meta:
        description = "Detects APT41 TOUGHPROGRESS disguised payloads 6.jpg and 7.jpg"
        author = "Threat Hunt Team"
        date = "2026-03-23"
        reference = "Google Threat Intelligence Group"
    strings:
        $filename1 = "6.jpg" ascii wide nocase
        $filename2 = "7.jpg" ascii wide nocase
        $pe_header_encrypted = {?? ?? ?? ?? [4-32] 4D 5A [0-8] 50 45 00 00}
        $xor_pattern = {[4-10] (31 | 32 | 33 | 34 | 35) [4-10]}
    condition:
        ($filename1 or $filename2) and ($pe_header_encrypted or $xor_pattern)
}

APT41_TOUGHPROGRESS_LNK_Launcher — Detects LNK files with Chinese language names used in TOUGHPROGRESS delivery

rule APT41_TOUGHPROGRESS_LNK_Launcher {
    meta:
        description = "Detects TOUGHPROGRESS LNK launchers with Chinese filenames"
        author = "Threat Hunt Team"
        date = "2026-03-23"
    strings:
        $lnk_header = {4C 00 00 00 01 14 02 00}
        $chinese1 = {E5 87 BA E5 A2 83} // 出境
        $chinese2 = {E6 B5 B7 E9 97 9C} // 海關
        $chinese3 = {E7 94 B3 E5 A0 B1} // 申報
        $chinese4 = {E6 B8 85 E5 96 AE} // 清單
        $zip_ref = ".zip" ascii wide
    condition:
        $lnk_header and 2 of ($chinese*) and $zip_ref
}

Suricata Rules

SID 2026001 — Detects TOUGHPROGRESS Google Calendar C2 with hardcoded dates

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT41 TOUGHPROGRESS Calendar C2 Hardcoded Date"; flow:established,to_server; content:"GET"; http_method; content:"/calendar/v3/"; http_uri; content:"2023-05-30"; http_uri; reference:url,cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics; classtype:trojan-activity; sid:2026001; rev:1;)

SID 2026002 — Detects TOUGHPROGRESS Google Calendar C2 command polling dates

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT41 TOUGHPROGRESS Calendar C2 Command Date"; flow:established,to_server; content:"GET"; http_method; content:"/calendar/v3/"; http_uri; content:"2023-07-3"; http_uri; pcre:"/2023-07-3[01]/"; reference:url,cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics; classtype:trojan-activity; sid:2026002; rev:1;)

SID 2026003 — Detects potential Google Calendar API abuse for C2

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Google Calendar API Zero-Minute Event Creation"; flow:established,to_server; content:"POST"; http_method; content:"/calendar/v3/calendars/"; http_uri; content:"@group.calendar.google.com/events"; http_uri; content:"start"; http_client_body; content:"end"; http_client_body; content:"dateTime"; http_client_body; pcre:"/start.{0,50}dateTime.{0,20}end.{0,50}dateTime/"; threshold:type both,track by_src,count 10,seconds 300; classtype:policy-violation; sid:2026003; rev:1;)

Data Source Requirements

Sources

• Mark Your Calendar: APT41 Innovative Tactics
• Chinese APT41 Exploits Google Calendar for Malware Command-and-Control Operations
• APT41 Uses Google Calendar Events for C2
• Chinese hackers used Google Calendar to aid attacks on government entities
• Disrupting the GRIDTIDE Global Cyber Espionage Campaign
• New Voldemort Malware Espionage Campaign
• APT41 Has Arisen From the DUST
• Introducing the 2026 Cloudflare Threat Report