• CybersecuriTea
  • Posts
  • They Clicked a File. The Malware Used Google Calendar.

They Clicked a File. The Malware Used Google Calendar.

Author

Laureen Hudson
June 16, 2025

One of the most valuable rules you will learn in any workplace cybersecurity training is this: Don’t open any file you weren’t specifically expecting — even if it’s from someone you know.

That includes .zip files, .pdfs, or random shared drives. If it shows up out of nowhere, stop. Ask. Verify.

Because once you open a malicious file? That’s it. The attackers are in. And in some cases, they use your own tools against you, like your Google Calendar.

Wait. Hackers are using Google Calendar?

Yep. That’s what happened in a recent attack by APT41, a state-sponsored hacking group out of China that’s been active for years. The story is linked below in “Further reading” if you want to get into the technical details, but here’s the tl;dr:

  • Someone received a phishing email with a link to a ZIP file.

  • That ZIP file contained what looked like a harmless PDF shortcut — but wasn’t.

  • Clicking it unleashed a chain of malware that quietly took over the computer and used Google Calendar events to send and receive commands.

  • Because Google Calendar is a trusted service, the malware blended in with normal network traffic and stayed hidden longer than it should have.

This is advanced-level stuff, but the point is painfully simple:
None of it would have happened if the victim hadn’t clicked the file.

Why this matters to you

Look, most of us aren't working in government or tech firms targeted by nation-state actors. But we are vulnerable to phishing. Every one of us.

These attacks don’t start with laser beams and spy satellites.
They start with an email. Or a text. Or a file you weren’t expecting.
And the moment you click? The trap springs.

Hackers count on people thinking, “Oh, it’s just a PDF.”
They count on you being in a rush, or distracted, or too polite to question it.

You know more than you think

The best cybersecurity advice is often stuff you learned in kindergarten:

  • Don’t take candy from strangers.
    (Or files. Or weird links.)

  • Ask before accepting something unexpected.
    (Even if it looks safe.)

  • Trust your instincts.
    (If something feels off, it probably is.)

So here’s your action item this week:

Teach your kids and your parents the "Call Before You Click" rule.
If you get an unexpected file from someone (even someone you trust) call or text them first to double-check.

It’s simple. It’s free. And it can stop even the most advanced cyberattacks before they start.

Join us for tea!

CybersecuriTea is a free, plain-English guide to digital safety, designed for families, friends, and the folks we love. Subscribe today and get weekly tips to help keep your digital life secure.

Or, if you’d like to support our work and keep the kettle warm for everyone: