Home
Apps
Apps News
Google Shuts Down Malware That Leveraged Google Calendar to Steal Data

Google Shuts Down Malware That Leveraged Google Calendar to Steal Data

China-linked hackers used Google Calendar as a command and control (C2) channel to steal data from infected devices.

Written by Akash Dutta, Edited by David Delima | Updated: 30 May 2025 13:12 IST

Facebook

Tweet LinkedIn Reddit Email Comment

Google News

Google Shuts Down Malware That Leveraged Google Calendar to Steal Data

Photo Credit: Unsplash/appshunter.io

Google disabled hacker-controlled Calendar accounts used to extract sensitive user data

Highlights

The malware was delivered from a compromised government website
Malware was hidden in a decoy PDF file, payloads inside fake JPG files
Google has informed affected organisations and shared samples of malware

Google Calendar was being used as a communication channel by a group of hackers to extract sensitive information from individuals, according to the Google Threat Intelligence Group (GTIG). The tech giant's cybersecurity division discovered a compromised government website in October 2024 and found that malware was being spread using it. Once the malware infected a device, it would create a backdoor using Google Calendar and allow the operator to extract data. GTIG has already taken down the calendar accounts and other systems that were being used by the hackers.

Google Calendar Used By China-Linked Hackers for Command and Control (C2) Channel

GTIG detailed the delivery method of the malware, how it functioned, and the measures taken by Google's team to protect users and its product. The hacker associated with this attack is said to be APT41, also known as HOODOO, a threat group believed to be linked to the Chinese government.

An investigation by GTIG revealed that APT41 used a spear phishing method to deliver malware to targets. Spear phishing is a targeted form of phishing where attackers personalise emails to specific individuals.

OpenAI’s o3 Model Said to Refuse to Shut Down Despite Being Instructed

These emails contained a link to a ZIP archive that was hosted on the compromised government website. When an unsuspecting person opened the archive, it showed a shortcut LNK file (.lnk), which was disguised to appear like a PDF, as well as a folder.

Overview of how the malware functioned
Photo Credit: GTIG

This folder contained seven JPG images of arthropods (insects, spiders, etc.). GTIG highlighted that the sixth and seventh entries, however, are decoys that actually contain an encrypted payload and a dynamic link library (DLL) file that decrypts the payload.

Airtel Said to Have Approached Jio, Vi for Joint Initiative Against Fraud

When the target clicks the LNK file, it triggers both files. Interestingly, the LNK file also automatically deletes itself and is replaced with a fake PDF, which is shown to the user. This file mentions that the species shown need to be declared for export, likely to mask the hacking attempt and to avoid raising suspicion.

Once the malware has infected a device, it operates in three different stages, where each stage carries out a task in sequence. GTIG highlighted that all three sequences are executed using various stealth techniques to avoid detection.

The first stage decrypts and runs a DLL file named PLUSDROP directly in memory. The second stage launches a legitimate Windows process and performs process hollowing — a technique used by attackers to run malicious code under the guise of a legitimate process — to inject the final payload.

Researcher Uses OpenAI’s o3 to Spot Zero-Day Flaw in Linux Kernel’s SMB

The final payload, TOUGHPROGRESS, executes malicious tasks on the device and communicates with the attacker via Google Calendar. It uses the cloud-based app as a communication channel via command and control (C2) technique.

The malware adds a zero-minute calendar event on a hardcoded date (May 30, 2023), which stores encrypted data from the compromised computer in the event's description field.

It also creates two other events on hardcoded dates (July 30 and 31, 2023), which gives the attacker a backdoor to communicate with the malware. TOUGHPROGRESS regularly scans the calendar for these two events.

When the attacker sends an encrypted command, it decrypts it and executes the command. Then, it sends back the result by creating another zero-minute event with the encrypted output.

To disrupt the malware campaign, GTIG created custom detection methods that identify and remove APT41's Google Calendar accounts. The team also shut down the attacker-controlled Google Workspace projects, effectively disabling the infrastructure that was used in the operation.

Additionally, the tech giant also updated its malware detection systems and blocked the malicious domains and URLs using Google Safe Browsing.

GTIG has also notified affected organisations, and provided them with samples of the malware's network traffic and details about the threat actor to help with detection, investigation, and response efforts.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Google Calendar, Google, Cybersecurity, Hacking

Akash Dutta Email Akash Dutta

Akash Dutta is a Senior Sub Editor at Gadgets 360. He is particularly interested in the social impact of technological developments and loves reading about emerging fields such as AI, metaverse, and fediverse. In hi... more »