{ "name": "APT 41: Threat Intelligence Report and Malware Analysis", "slug": "apt-41-threat-intelligence-report-and-malware-analysis", "description": "APT41, a sophisticated Chinese state-sponsored threat actor, blends cyber espionage with cybercrime tactics. They target various sectors globally, including healthcare, telecom, and government entities. Recently, APT41 was observed using Google Calendar for malware command-and-control on a Taiwanese government website. Their attack chain involves spear-phishing emails, malicious ZIP archives, and a three-module malware system called ToughProgress. This malware uses stealthy techniques like in-memory execution, encryption, and process hollowing to evade detection. The unique aspect of ToughProgress is its use of Google Calendar events for covert data exchange, creating a stealthy communication channel for remote command execution and data exfiltration.", "published": "2025-06-10T08:52:57+00:00", "created_at": "2025-06-10T08:52:57+00:00", "modified_at": "2025-06-10T09:13:04+00:00", "created_at_opencti": "2025-06-10T08:52:57+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-06-10", "china", "cyberespionage", "google calendar", "plusdrop", "plusinject", "spear-phishing", "state-sponsored" ], "related_entities": { "observables": [ { "id": "", "name": "word.msapp.workers.dev" }, { "id": "", "name": "pubs.infinityfreeapp.com" }, { "id": "", "name": "cloud.msapp.workers.dev" }, { "id": "", "name": "term-restore-satisfied-hence.trycloudflare.com" }, { "id": "", "name": "ways-sms-pmc-shareholders.trycloudflare.com" }, { "id": "", "name": "resource.infinityfreeapp.com" }, { "id": "", "name": "50124174a4ac0d65bf8b6fd66f538829d1589edc73aa7cf36502e57aa5513360" }, { "id": "", "name": "469b534bec827be03c0823e72e7b4da0b84f53199040705da203986ef154406a" }, { "id": "", "name": "3b88b3efbdc86383ee9738c92026b8931ce1c13cd75cd1cda2fa302791c2c4fb" }, { "id": "", "name": "151257e9dfda476cdafd9983266ad3255104d72a66f9265caa8417a5fe1df5d7" } ], "malware": [ { "id": "legacy:malware:b297286ba1f25c3e", "name": "PLUSINJECT", "slug": "plusinject" }, { "id": "legacy:malware:693bc69ff1198eb7", "name": "PLUSDROP", "slug": "plusdrop" }, { "id": "legacy:malware:77347b7d63cb6693", "name": "ToughProgress", "slug": "toughprogress" } ], "intrusion_sets": [ { "id": "47a3ab5a-7c6b-47eb-9c37-70969136bcca", "name": "APT41", "slug": "apt41" } ], "attack_patterns": [ { "id": "b15c00da-c412-4429-900c-659de612baf5", "name": "T1543.003" }, { "id": "436e795b-553f-444e-b837-65818d8f539f", "name": "T1119" }, { "id": "81b422de-709e-43bd-b471-2befac0c623a", "name": "T1218.011" }, { "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818", "name": "T1027.002" }, { "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46", "name": "T1059.003" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "dc410646-9cdd-427b-92e7-179a54f78f90", "name": "T1566.001" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e", "name": "T1041" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "64cdebc9-0fb4-48f2-bf4f-b87f3741f664", "name": "T1068" } ], "others": [ { "id": "", "name": "Taiwan" }, { "id": "", "name": "Technology" }, { "id": "", "name": "Healthcare" }, { "id": "", "name": "Telecommunications" }, { "id": "", "name": "Government" } ] }, "external_refs": [] }