APT 41: Threat Intelligence Report and Malware Analysis

June 10, 2025, 11:13 a.m.

Description

APT41, a sophisticated Chinese state-sponsored threat actor, blends cyber espionage with cybercrime tactics. They target various sectors globally, including healthcare, telecom, and government entities. Recently, APT41 was observed using Google Calendar for malware command-and-control on a Taiwanese government website. Their attack chain involves spear-phishing emails, malicious ZIP archives, and a three-module malware system called ToughProgress. This malware uses stealthy techniques like in-memory execution, encryption, and process hollowing to evade detection. The unique aspect of ToughProgress is its use of Google Calendar events for covert data exchange, creating a stealthy communication channel for remote command execution and data exfiltration.

Tags
state-sponsored
china
cyberespionage
spear-phishing
google calendar
plusdrop
2025-06-10
plusinject

Date

  • Created: June 10, 2025, 10:52 a.m.
  • Published: June 10, 2025, 10:52 a.m.
  • Modified: June 10, 2025, 11:13 a.m.

Indicators

  • 50124174a4ac0d65bf8b6fd66f538829d1589edc73aa7cf36502e57aa5513360
  • 469b534bec827be03c0823e72e7b4da0b84f53199040705da203986ef154406a
  • 3b88b3efbdc86383ee9738c92026b8931ce1c13cd75cd1cda2fa302791c2c4fb
  • 151257e9dfda476cdafd9983266ad3255104d72a66f9265caa8417a5fe1df5d7
  • word.msapp.workers.dev
  • pubs.infinityfreeapp.com
  • cloud.msapp.workers.dev
  • term-restore-satisfied-hence.trycloudflare.com
  • ways-sms-pmc-shareholders.trycloudflare.com
  • resource.infinityfreeapp.com
Download all indicators here!

Attack Patterns

  • PLUSINJECT
  • PLUSDROP
  • ToughProgress
  • APT41

Additional Informations

  • Technology
  • Healthcare
  • Telecommunications
  • Government
  • Taiwan