← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
APT41's "ToughProgress" Malware Abuses Google Calendar for C2 Evasion
WHITE Winnti Group PetrP.73 2025-05-31 Modified: 2025-05-31
77
IOCs
HIGH VOLUME
This pulse details APT41's (Winnti Group) new "ToughProgress" malware, which weaponizes Google Calendar for stealthy command-and-control (C2) communications. Key highlights from SOCRadar's analysis: Legitimacy Abuse: Uses Google Calendar events to hide malicious commands in seemingly benign public calendar entries. Multi-Stage Execution: Delivers PowerShell scripts to fetch encrypted payloads, bypassing traditional network defences. Persistence Mechanisms: Establishes footholds via scheduled tasks, registry modifications, and DLL sideloading. Targeted Evasion: Avoids sandboxes and leverages trusted cloud services to evade detection. IOCs Provided: Includes malware hashes, C2 domains, and behavioural patterns for hunting.
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
ToughProgress
Indicators of Compromise (77)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 hostname domain URL
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 1ca609e207edb211c8b9566ef35043b6 2025-05-31
FileHash-MD5 2ec4eeeabb8f6c2970dcbffdcdbd60e3 MD5 of 151257e9dfda476cdafd9983266ad3255104d72a66f9265caa8417a5fe1df5d7 2025-05-31
FileHash-MD5 65da1a9026cf171a5a7779bc5ee45fb1 MD5 of 3b88b3efbdc86383ee9738c92026b8931ce1c13cd75cd1cda2fa302791c2c4fb 2025-05-31
FileHash-MD5 876fb1b0275a653c4210aaf01c2698ec MD5 of 469b534bec827be03c0823e72e7b4da0b84f53199040705da203986ef154406a 2025-05-31
FileHash-SHA1 a04cff8208769ecdc43e14291273c3a540199d07 SHA1 of 469b534bec827be03c0823e72e7b4da0b84f53199040705da203986ef154406a 2025-05-31
FileHash-SHA1 a6a29946269107b9fd3bcd85386ef9d7438b7ae1 SHA1 of 3b88b3efbdc86383ee9738c92026b8931ce1c13cd75cd1cda2fa302791c2c4fb 2025-05-31
FileHash-SHA1 e7ad8d1d670757eba247d4992af54a9003e35a7d SHA1 of 151257e9dfda476cdafd9983266ad3255104d72a66f9265caa8417a5fe1df5d7 2025-05-31
FileHash-SHA256 151257e9dfda476cdafd9983266ad3255104d72a66f9265caa8417a5fe1df5d7 2025-05-31
FileHash-SHA256 3b88b3efbdc86383ee9738c92026b8931ce1c13cd75cd1cda2fa302791c2c4fb 2025-05-31
FileHash-SHA256 469b534bec827be03c0823e72e7b4da0b84f53199040705da203986ef154406a 2025-05-31
FileHash-SHA256 50124174a4ac0d65bf8b6fd66f538829d1589edc73aa7cf36502e57aa5513360 2025-05-31
hostname term-restore-satisfied-hence.trycloudflare.com 2025-05-31
hostname ways-sms-pmc-shareholders.trycloudflare.com 2025-05-31
domain my5353.com 2025-05-31
domain trycloudflare.com 2025-05-31
URL http://ways-sms-pmc-shareholders.trycloudflare.com/public/sa150_notes_2024.lnk 2025-05-31
hostname cloud.my5353.com 2025-05-31
URL http://my5353.com/60qiq 2025-05-31
URL http://my5353.com/cbhmz 2025-05-31
URL http://my5353.com/dqgqy 2025-05-31
URL http://my5353.com/yDn2V 2025-05-31
URL http://my5353.com/ydn2v 2025-05-31
URL https://my5353.com/AwYKY2 2025-05-31
URL https://my5353.com/FphE2 2025-05-31
URL https://my5353.com/L1HUQ 2025-05-31
URL https://my5353.com/LH6qh 2025-05-31
URL https://my5353.com/VEFPp 2025-05-31
URL https://my5353.com/YangWang</a></h4></div> 2025-05-31
URL https://my5353.com/ZwEkm 2025-05-31
URL https://my5353.com/anajp 2025-05-31
URL https://my5353.com/appleii 2025-05-31
URL https://my5353.com/fPUcX 2025-05-31
URL https://my5353.com/nAsT6 2025-05-31
URL https://my5353.com/nWyTf 2025-05-31
URL https://my5353.com/ppOH5 2025-05-31
URL https://my5353.com/pytun 2025-05-31
URL https://my5353.com/vEWiT 2025-05-31
hostname ada-keys-discusses-buried.trycloudflare.com 2025-05-31
hostname analysis-provincial-obituaries-execute.trycloudflare.com 2025-05-31
hostname blog-fairfield-suitable-pirates.trycloudflare.com 2025-05-31
hostname chem-acquired-purchases-conclude.trycloudflare.com 2025-05-31
hostname confidence-bone-accessory-hence.trycloudflare.com 2025-05-31
hostname di-thanksgiving-essentially-enable.trycloudflare.com 2025-05-31
hostname grocery-stylus-advisory-sets.trycloudflare.com 2025-05-31
hostname hazard-ours-dam-color.trycloudflare.com 2025-05-31
hostname lasting-transmission-pills-viewers.trycloudflare.com 2025-05-31
hostname medline-shape-pts-inspector.trycloudflare.com 2025-05-31
hostname mexican-ability-notifications-beijing.trycloudflare.com 2025-05-31
hostname motors-summary-wm-inserted.trycloudflare.com 2025-05-31
hostname pets-consistency-aimed-wrist.trycloudflare.com 2025-05-31
hostname retain-mag-writers-peas.trycloudflare.com 2025-05-31
hostname roland-gateway-footage-else.trycloudflare.com 2025-05-31
hostname selling-water-adelaide-plugins.trycloudflare.com 2025-05-31
hostname tcp-characteristic-effect-construction.trycloudflare.com 2025-05-31
hostname tracked-descriptions-buys-throat.trycloudflare.com 2025-05-31
hostname viewpicture-november-borders-litigation.trycloudflare.com 2025-05-31
hostname weather-training-doug-proxy.trycloudflare.com 2025-05-31
URL http://discretion-membrane-import-destiny.trycloudflare.com/ 2025-05-31
URL http://discretion-membrane-import-destiny.trycloudflare.com/cmd.exe 2025-05-31
URL http://discretion-membrane-import-destiny.trycloudflare.com/p.exe 2025-05-31
URL http://discretion-membrane-import-destiny.trycloudflare.com/pig.zip 2025-05-31
URL http://neil-renewal-virginia-lines.trycloudflare.com/ 2025-05-31
URL http://ot-visitors-decline-force.trycloudflare.com/ 2025-05-31
URL http://safer-ssl-fruits-segments.trycloudflare.com/ 2025-05-31
URL https://beast-apparently-ranger-foreign.trycloudflare.com/login.html 2025-05-31
URL https://bonus-administered-binary-lucy.trycloudflare.com/login.html 2025-05-31
URL https://convergence-phantom-artist-motivation.trycloudflare.com/login.html.php 2025-05-31
URL https://convertible-aim-given-label.trycloudflare.com/ 2025-05-31
URL https://defendant-logical-logan-kit.trycloudflare.com/login.html 2025-05-31
URL https://defendant-logical-logan-kit.trycloudflare.com/login.html/ 2025-05-31
URL https://discretion-membrane-import-destiny.trycloudflare.com/p.exe 2025-05-31
URL https://discretion-membrane-import-destiny.trycloudflare.com/pig.url 2025-05-31
URL https://discretion-membrane-import-destiny.trycloudflare.com/pig.zip/ 2025-05-31
URL https://ii-gba-controls-calculators.trycloudflare.com/ 2025-05-31
URL https://metadata-scoring-samples-intl.trycloudflare.com/ 2025-05-31
URL https://natural-extend-peripheral-hartford.trycloudflare.com/ 2025-05-31
URL https://wizard-individual-intervals-franklin.trycloudflare.com/kolo.bat 2025-05-31