In a concerning revelation, Google’s Threat Intelligence Group (GTIG) has uncovered that a group of hackers linked to China used Google Calendar as a tool to steal sensitive information from individuals. The group, known as APT41 or HOODOO, is believed to have ties to the Chinese government.
According to GTIG, the attack began with a spear phishing campaign. This method involves sending carefully crafted emails to specific targets. These emails included a link to a ZIP file hosted on a compromised government website. Once the victim opened the ZIP file, they would find a shortcut file disguised as a PDF and a folder with several images of insects and spiders.
However, two of these image files were fake and actually contained malicious software. When the victim clicked the shortcut, it triggered the malware and even replaced itself with a fake PDF that appeared to be about species export regulations, likely to avoid suspicion.
The malware worked in three steps. First, it decrypted and ran a file named PLUSDROP in the computer’s memory. Then, it used a known Windows process to secretly run harmful code. In the final stage, a program called TOUGHPROGRESS carried out commands and stole data.
What made this attack unusual was the use of Google Calendar as a communication tool. The malware created short, zero-minute events on specific dates. These events included encrypted data or instructions hidden in their description field. The malware regularly checked these calendar events for new commands from the hacker. After completing a task, it would create another event with the stolen information.
Google said the campaign was discovered in October 2024 after it found malware spreading from a compromised government website. The tech company has since shut down the calendar accounts used by the hackers and removed other parts of their online infrastructure.
To stop similar attacks in the future, Google has improved its malware detection systems and blocked the harmful websites involved. It also alerted organisations that may have been affected and shared technical details to help them respond and protect themselves.
