Mark Your Calendar: APT41 Innovative Tactics

216.73.216.226

Mark Your Calendar: APT41 Innovative Tactics

· Published 28/05/2025 20:28 · Modified 28/05/2025 20:41

Essential information

Published: 28/05/2025 20:28
Modified: 28/05/2025 20:41
Tags: 2025-05-28 apt41 dusttrap google calendar plusdrop plusnject toughprogress voldemort
Related entities: 6 observables, 1 intrusion sets (apt), 5 techniques (mitre), 5 malware, 4 others

Description

In late October 2024, a government website was discovered hosting malware targeting multiple government entities. The malware, dubbed TOUGHPROGRESS, utilized Google Calendar for command and control. Attributed to APT41, a PRC-based actor, the campaign targeted global organizations in various sectors. The malware infection chain involved three modules: PLUSDROP, PLUSINJECT, and TOUGHPROGRESS, employing stealth and evasion techniques. TOUGHPROGRESS used encrypted Calendar events for communication. Google Threat Intelligence Group disrupted the campaign by developing custom fingerprints, terminating attacker-controlled infrastructure, and updating Safe Browsing. APT41 has been observed using free web hosting tools and URL shorteners for malware distribution since August 2024. The blog post provides indicators of compromise and YARA rules to aid in detection and defense against similar attacks.

External references

https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics