Chinese Hacking Group Uses Google Calendar in Spy Campaign, Google Reveals

A Chinese state-backed hacking group has been caught using Google Calendar in a clever new cyber-espionage campaign targeting government organizations, according to a report from Google.

The group behind the attack is known as APT41 — also called Brass Typhoon, Wicked Panda, or RedGolf — and has a long history of cyberattacks on foreign governments and industries like technology, media, logistics, and automobiles.

Google discovered the campaign in late October. It started with spearphishing emails sent to targeted individuals. These emails contained a link to a fake ZIP file hosted on a hacked government website. Inside the file was a PDF and a folder full of insect images meant to trick people into clicking. Once opened, a hidden malware — named ToughProgress by researchers — was installed on the victim’s device.

This malware is especially dangerous because it runs only in the device’s memory, which makes it harder to detect. ToughProgress delivered three separate payloads, each designed to operate secretly.

What stood out most to researchers was the malware’s use of Google Calendar for communication. Once a system was infected, the malware would create a calendar event dated May 30, 2023, and hide stolen, encrypted data in the event’s description.

Later, on specific dates in July, the attackers added new calendar events that contained secret instructions for the malware. The infected device would check the calendar, read the instructions, carry them out, and upload the results into more calendar entries — all under the radar.

By using a trusted service like Google Calendar, the hackers were able to blend in with regular internet traffic, making it harder for security systems to spot the attack.

APT41 has a notorious reputation and was charged by the U.S. government in 2020 for hacking over 100 organizations around the world. The FBI has issued arrest warrants for five members of the group, including Zhang Haoran and Tan Dailin, for cybercrimes involving espionage, ransomware, and software supply chain attacks.

The group has also been tied to long-term spying on Southeast Asian government offices and, more recently, a breach at a Taiwanese research institute involved in sensitive technologies.

Google has not said how many victims were affected in this latest campaign, but warns that abuse of trusted services like Google Calendar could become a growing trend in cyberattacks.