High

ToughProgress connects to a hardcoded Google Calendar endpoint and retrieves commands embedded by the attackers in the description field of hidden calendar events. After executing the commands, the malware creates new calendar events to return results, enabling the attackers to adapt their operations dynamically. Because this entire C2 channel runs over a legitimate platform and the malware operates fully in memory without writing to disk, traditional antivirus tools struggle to detect the activity.

This is not the first time APT41 has exploited Google services; similar tactics were used in a 2023 campaign involving Google Sheets and Google Drive. In response, Google terminated all associated accounts and updated Safe Browsing blocklists to prevent access to related malicious sites. Although the affected organizations were not publicly named, Google has notified them directly and shared malware samples and logs to assist in incident response.

Impact

• Command Execution
• Unauthorized Access

Indicators of Compromise

Domain Name

• resource.infinityfreeapp.com

• pubs.infinityfreeapp.com

MD5

• 876fb1b0275a653c4210aaf01c2698ec

• 65da1a9026cf171a5a7779bc5ee45fb1

• 2ec4eeeabb8f6c2970dcbffdcdbd60e3

SHA-256

• 469b534bec827be03c0823e72e7b4da0b84f53199040705da203986ef154406a

• 3b88b3efbdc86383ee9738c92026b8931ce1c13cd75cd1cda2fa302791c2c4fb

• 151257e9dfda476cdafd9983266ad3255104d72a66f9265caa8417a5fe1df5d7

SHA1

• a04cff8208769ecdc43e14291273c3a540199d07

• a6a29946269107b9fd3bcd85386ef9d7438b7ae1

• e7ad8d1d670757eba247d4992af54a9003e35a7d

URL

• https://lihi.cc/6dekU
• https://lihi.cc/v3OyQ
• https://lihi.cc/5nlgd
• https://lihi.cc/edcOv
• https://lihi.cc/4z5sh
• https://tinyurl.com/mr42t4yv
• https://tinyurl.com/hycev3y7
• https://tinyurl.com/mpa2c5wj
• https://tinyurl.com/3wnz46pv
• https://my5353.com/ppOH5
• https://my5353.com/nWyTf
• https://my5353.com/fPUcX
• https://my5353.com/ZwEkm
• https://my5353.com/vEWiT
• https://reurl.cc/WNr2Xy

Remediation

• Block or monitor unusual access to Google Calendar APIs and other cloud services in your network environment.
• Implement advanced endpoint detection and response (EDR) solutions capable of identifying in-memory threats and process injection techniques.
• Educate users on recognizing phishing emails and discourage opening ZIP archives or clicking links from unknown sources.
• Restrict execution of Windows LNK files and monitor for suspicious shortcut usage, especially those launching DLLs or PowerShell.
• Apply strict network segmentation and least privilege principles to limit the spread and impact of potential infections.
• Enable application whitelisting and prevent unauthorized DLL execution from uncommon directories or masqueraded file types.
• Monitor network traffic for interactions with unusual or unauthorized Google services, including calendar-related endpoints.
• Keep antivirus and anti-malware tools up to date with heuristics that can detect memory-resident threats and obfuscated payloads.
• Regularly audit cloud application usage and enforce policies to detect misuse of trusted platforms like Google Workspace.
• Conduct regular security awareness training and phishing simulations to strengthen human defenses against social engineering.
• Maintain secure backups and test recovery procedures to ensure resilience against data loss or further exploitation.
• Use behavioral monitoring tools to detect anomalies such as process hollowing or execution from image files.
• Collaborate with threat intelligence providers and cloud service vendors to stay informed on emerging abuse tactics.
• Analyze and restrict the use of publicly accessible scripts or automation interacting with calendar APIs.
• Implement cloud access security brokers (CASBs) to gain visibility and control over cloud service usage.