The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Wicked Panda Targets Government Entities, Uses Google Calendar for C2

Jun 6, 2025 2:50:40 PM / by The Hivemind

WICKEDPANDA022025Verticals Targeted: Government
Regions Targeted: Not specified
Related Families: VOLDEMORT, DUSTTRAP

Executive Summary

Wicked Panda, a Chinese state-sponsored threat actor, deployed TOUGHPROGRESS malware, exploiting Google Calendar for stealthy command-and-control operations targeting government entities. This campaign underscores the group’s innovative abuse of cloud services to evade detection and maintain persistent access.  

Key Takeaways

  • Wicked Panda utilized Google Calendar events to disguise malicious commands and exfiltrate data, blending with legitimate traffic.  
  • The TOUGHPROGRESS malware operates entirely in memory, employing encryption and process hollowing for evasion.  
  • Spear-phishing emails delivered a malicious LNK file disguised as a PDF, initiating a multi-stage infection chain.  

TOUGHPROGRESS Malware

Google’s Threat Intelligence Group (GTIG) uncovered a sophisticated campaign by Wicked Panda, a prolific Chinese state-sponsored threat actor, targeting government entities with the novel TOUGHPROGRESS malware. This operation, characterized by its innovative use of Google Calendar for command-and-control (C2), exemplifies Wicked Panda’s ability to exploit trusted cloud services to mask malicious activities.  

The attack began with spear-phishing emails containing links to a ZIP archive hosted on a compromised government-affiliated website. Upon extraction, the archive presented benign arthropod images alongside a disguised LNK file posing as a PDF. Executing the LNK file triggered the deletion of the original file, replaced it with a decoy PDF, and initiated a multi-stage infection chain. The first module, PLUSDROP, a dynamic-link library (DLL), decrypted and launched the subsequent stage in memory, minimizing disk-based traces. This led to the deployment of TOUGHPROGRESS, which executed commands and exfiltrated data via encrypted Google Calendar events, leveraging the platform’s legitimate traffic to evade detection.  

TOUGHPROGRESS employs advanced evasion techniques, including encryption, compression, process hollowing, and control flow obfuscation, ensuring stealthy operations. The malware runs entirely in memory, reducing forensic footprints and complicating traditional detection methods. By embedding commands and stolen data in calendar event descriptions, Wicked Panda maintained persistent communication with compromised systems while blending with routine cloud activity. This tactic mirrors the group’s prior abuse of cloud infrastructure, such as Google Sheets and Drive for C2 in 2023 and Public Cloud hosting for VOLDEMORT and DUSTTRAP malware in 2024.  

Wicked Panda’s targeting reflects its strategic focus on high-value sectors. The campaign’s reliance on spear-phishing and compromised infrastructure highlights the group’s preference for socially engineered initial access and supply chain attacks. The use of Google Calendar as a C2 channel marks a significant evolution in Wicked Panda’s tactics, emphasizing the need for robust cloud security monitoring. 

Who is Wicked Panda?

Wicked Panda, also known as APT41, Winnti, Barium, and Blackfly, is a China nexus threat actor group active since at least 2009. Wicked Panda is known to target multiple verticals, including healthcare, telecommunications, technology, gaming, government, defense, manufacturing, aerospace, financial services, chemical, mining, and think tanks. Targets include entities worldwide, with notable activity targeting the United States, Europe, Southeast Asia, and South Pacific Island countries. 

Wicked Panda employs spear-phishing emails with malicious attachments or links to gain initial access, often using compromised infrastructure to host payloads. The group leverages living-off-the-land techniques, utilizing legitimate system tools to blend malicious activities with normal processes. They deploy custom malware, such as ShadowPad and TOUGHPROGRESS, for persistence and data exfiltration, frequently exploiting vulnerabilities in widely used software like Citrix ADC and Zoho ManageEngine. Lateral movement and credential harvesting are conducted to escalate privileges and maintain long-term access.

Wicked Panda is widely assessed to be a Chinese state-sponsored group, with operations aligning with the Chinese Communist Party’s strategic economic and intelligence objectives, including China’s Five-Year Plans. The group is suspected to have ties to the Ministry of Public Security and contractors working for Chinese government agencies, though no specific military or intelligence unit has been definitively linked.

IOCs

PolySwarm has multiple samples associated with this activity.

 

3b88b3efbdc86383ee9738c92026b8931ce1c13cd75cd1cda2fa302791c2c4fb

50124174a4ac0d65bf8b6fd66f538829d1589edc73aa7cf36502e57aa5513360

151257e9dfda476cdafd9983266ad3255104d72a66f9265caa8417a5fe1df5d7

 

You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -f TOUGHPROGRESS

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, APT41, Wicked Panda, TOUGHPROGRESS malware, Google Calendar C2, Spear Phishing, Government Cyberattack, Chinese Cyber Espionage, Cloud Service Abuse, Malware Analysis, Data Exfiltration

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More