Dangerous Calendar: A New Tool for Phishing Attacks

Did you know that a regular calendar can be used as a tool in a hacker attack? Google researchers discovered that the Chinese hacker group APT41 (also known as HOODOO) used Google Calendar to deliver commands to infected devices.
In October 2024, Google’s Threat Intelligence Group (GTIG) uncovered a phishing campaign in which a compromised government website was spreading ZIP archives containing hidden files. These files launched the malware known as TOUGHPROGRESS, which, once installed, would read specially crafted events in Google Calendar. The event descriptions contained encrypted instructions - this is how the hackers controlled the attacks.
Together with experts from Mandiant FLARE, Google was able to decrypt the code and identify patterns in such events. After that:
-
-
- related Google Workspace projects were blocked,
- affected organizations were notified,
- and additional security measures were implemented.
-
APT41 has been active since 2012, primarily targeting the healthcare, telecommunications, and technology sectors. The group has carried out attacks in over 14 countries and has used dozens of different malicious tools.
This case shows that even everyday workplace tools, such as calendars, can
be used in cyberattacks. That’s why it’s crucial for companies to focus on:
-
-
- monitoring suspicious calendar activity,
- updating security systems,
- and educating employees on cybersecurity hygiene.
-
Cybersecurity is not optional - it’s a necessary condition for stable business operations.