Google Calendar Exploits, Fake AI Packages, Malware Arrests, and a Newly Proposed Exploit Metric
Notable security news for the week of May 25 –June 1. Your editor this week is Chris from the F5 Security Incident Response Team. This week I will highlight Google Calendar exploits by an Advanced Persistent Threat (APT), malware installers disguised as popular AI tools, the arrest of 21 people in Pakistan operating a malware service, and a new exploit equation aimed at aiding KEV and EPSS.
Google Calendar Exploits
The Chinese state-sponsored threat actor APT41 has been using a malware called TOUGHPROGRESS to leverage Google Calendar for command-and-control (C2) operations. Google discovered this activity in late October of 2024. The malware was hosted on a compromised government website targeting multiple other government entities.
The malware consists of three distinct components:
- PLUSDROP: A DLL used to decrypt and execute the next-stage payload in memory.
- PLUSINJECT: Performs process hollowing on a legitimate "svchost.exe" process to inject the final payload.
- TOUGHPROGRESS: The primary malware that uses Google Calendar for C2.
The malware reads and writes events with an attacker-controlled Google Calendar, storing harvested data in event descriptions and executing encrypted commands. Google has taken down the malicious Google Calendar and terminated the associated Workspace projects, neutralizing the campaign.
https://thehackernews.com/2025/05/chinese-apt41-exploits-google-calendar.html
Fake AI Tool Packages
Since mid-October 2024, cybercriminals have been using fake installers for popular AI tools like OpenAI ChatGPT and InVideo AI to spread different types of malware. These include CyberLock ransomware, Lucky_Gh0$t ransomware, and a new malware called Numero. Developed using PowerShell, CyberLock encrypts specific files on the victim's system and demands a $50,000 ransom in Monero, claiming the funds will support humanitarian causes. A variant of the Yashma ransomware, Lucky_Gh0$t targets files smaller than 1.2GB for encryption and deletes backups, demanding ransom payments via the Session messaging app. This destructive malware manipulates the graphical user interface components of Windows, rendering the machines unusable. It continuously runs on the victim's machine through an infinite loop. The fake AI tool websites use SEO poisoning techniques to boost their rankings and lure victims into downloading malware-loaded installers. The campaign targets individuals and organizations in the B2B sales and marketing sectors, using the popularity of AI tools to spread malware.
There are multiple ways you can reduce the risk of malware threats:
- Use Security Software: Install reputable antivirus and anti-malware software. Ensure it is regularly updated to protect against the latest threats.
- Be Cautious with Emails: Avoid clicking on links or opening attachments from unknown or suspicious emails. Phishing emails are a common way to spread malware.
- Download from Trusted Sources: Only download software from official websites or reputable sources. Avoid third-party platforms that might disguise malware as legitimate software.
- Keep Software Updated: Regularly update your operating system and all installed software to patch vulnerabilities that could be exploited by malware.
- Use Strong Passwords: Implement strong, unique passwords for all your accounts and consider using a password manager to keep them secure.
- Enable Two-Factor Authentication: Add an extra layer of security to your accounts by enabling two-factor authentication wherever possible.
These are all good practices to use at any time. It is always a good idea to stay diligent when it comes to security.
https://thehackernews.com/2025/05/cybercriminals-target-ai-users-with.html
Heartsender Malware Service Arrests
Pakistani authorities have arrested 21 individuals accused of operating "Heartsender," a spam and malware dissemination service active for over a decade. The alleged ringleader, Rameez Shahzad, and other core developers were publicly identified in 2021 after making several operational security mistakes, such as inadvertently infecting their own computers with malware, which exposed their identities and operations. Heartsender's tools were linked to over $50 million in losses in the U.S., with European authorities investigating 63 additional cases. Heartsender provided spam and malware dissemination tools, primarily targeting users of various Internet services like Microsoft 365, Yahoo, AOL, Intuit, iCloud, and ID.me. The main clients were organized crime groups that used these tools for business email compromise (BEC) schemes. These schemes tricked companies into making payments to third parties by impersonating legitimate business contacts. The service was marketed under multiple brands, including Heartsender, Fudpage, and Fudtools. "Fud" stands for "Fully Un-Detectable," indicating that the tools were designed to evade detection by security software. The FBI and Dutch Police seized the technical infrastructure for Heartsender in January 2025.
https://krebsonsecurity.com/2025/05/pakistan-arrests-21-in-heartsender-malware-service/
Likely Exploited Vulnerabilities (LEV)
Researchers from CISA and NIST have proposed a new cybersecurity metric called Likely Exploited Vulnerabilities (LEV). This metric will help us figure out how likely a vulnerability has been used in the wild. LEV aims to enhance existing tools like Known Exploited Vulnerabilities (KEV) lists and the Exploit Prediction Scoring System (EPSS) by providing more accurate prioritization for vulnerability remediation.
KEV (Known Exploited Vulnerabilities) Lists:
- Purpose: Catalog vulnerabilities that have been confirmed to be exploited in the wild.
- Usage: Helps organizations prioritize patching and remediation efforts by focusing on vulnerabilities that attackers are actively using.
EPSS (Exploit Prediction Scoring System):
- Purpose: Provides a 30-day probability that a vulnerability will be exploited.
- Usage: Assists in predicting which vulnerabilities are likely to be targeted, helping organizations prioritize their security efforts.
Both tools are essential for effective vulnerability management, with KEV lists focusing on known exploits and EPSS providing predictive insights.
LEV uses equations that consider variables such as the first date an EPSS score is available, the date of the most recent KEV list update, inclusion in KEV, and the EPSS score measured across multiple days. LEV probabilities can help measure the expected number and proportion of vulnerabilities exploited by threat actors and estimate the comprehensiveness of KEV lists. NIST is seeking industry partners with relevant datasets to empirically measure the performance of LEV probabilities.
In vulnerability management, LEV can be used for enhancement in several ways:
- Prioritization: LEV helps organizations prioritize vulnerabilities that are most likely to be exploited, ensuring that critical patches are applied first.
- LEV is more accurate because it uses data from KEV lists and EPSS scores. This means it can find vulnerabilities that are not being exploited as often.
- Resource Allocation: LEV enables better allocation of resources by focusing efforts on vulnerabilities with the highest exploitation probability, optimizing security operations.
- Risk Management: LEV probabilities help measure the expected number and proportion of vulnerabilities exploited by threat actors, aiding in comprehensive risk management.
- Collaboration: LEV encourages collaboration between industry partners and researchers to empirically measure and improve vulnerability management practices.
The hope is that by integrating LEV into existing tools and processes, organizations can improve their ability to identify, prioritize, and mitigate vulnerabilities effectively.
