S0025: CALENDAR

CALENDAR matters because it represents malware that blends command-and-control activity into traffic resembling legitimate Gmail Calendar use. For leaders, the practical issue is not the malware name itself, but whether the organization can distinguish approved cloud/web-service activity from adversary communications on Windows systems without disrupting normal business use of legitimate services.

Executive priority

Prioritize this as a visibility and response-readiness question: can security teams prove they collect enough endpoint, process, DNS, proxy, and web telemetry to investigate suspicious Windows hosts communicating through common external web services? Because CALENDAR is linked to APT1 and uses Windows Command Shell plus bidirectional web-service communication, leaders should ask whether SOC playbooks, acceptable-use baselines, and incident response procedures cover malware that hides inside trusted-looking cloud traffic.

Technical view

ATT&CK lists CALENDAR as Windows malware used by APT1 that mimics legitimate Gmail Calendar traffic. Relationship context shows use of T1059.003 Windows Command Shell for execution and T1102.002 Bidirectional Communication for command-and-control through legitimate external web services. SOC and IR teams should validate detection around unusual cmd.exe execution, parent-child process chains, command output collection indicators, and web/proxy patterns where a Windows endpoint exchanges repeated or anomalous data with legitimate web services outside expected user behavior.

Likely telemetry

Windows endpoint process creation telemetry, especially cmd.exe invocation and parent-child process context
Command-line arguments and script or shell execution records where available
EDR alerts or host artifacts tied to suspicious command execution on Windows
DNS queries and web/proxy logs for external web-service access patterns
TLS/HTTP metadata such as destination, user agent, request timing, volume, and authenticated user or host context where collected

Detection direction

Validate whether detections correlate Windows Command Shell execution with outbound web-service communications from the same host or user session.
Baseline legitimate Gmail Calendar or similar web-service use so analysts can identify unusual hosts, service accounts, servers, timing, volume, or process origins without over-alerting on normal business traffic.
Tune for suspicious cmd.exe parent processes, rare command lines, unexpected interactive shell use, and command execution followed by network activity.
Review blind spots where encrypted web traffic, unmanaged endpoints, limited proxy logging, or lack of process command-line capture would prevent investigation.
Use the APT1 relationship as threat-intelligence context for triage priority, not as proof of attribution in local incidents.

Mitigation priorities

Ensure Windows endpoint logging and EDR coverage are sufficient to capture process creation, command-line context, and network connections.
Define and monitor acceptable use of external web services from business endpoints and servers, with attention to services that can support bidirectional communication.
Harden and monitor command shell usage through least privilege, administrative controls, and alerting on abnormal cmd.exe behavior.
Prepare IR playbooks for suspected web-service-based command-and-control, including host isolation, credential review, and preservation of endpoint plus proxy evidence.
Use compliance and audit evidence to demonstrate that cloud/web traffic monitoring and endpoint execution monitoring are both in scope, rather than treating them as separate control areas.

Analyst notes and limits

The supplied ATT&CK object is sparse: no official detection text, no aliases, and no tactics listed directly on the malware object. The most useful defensive context comes from the relationships to Windows Command Shell and Bidirectional Communication, plus the description that CALENDAR mimics legitimate Gmail Calendar traffic.

This take is limited to the supplied ATT&CK fields and relationships. It does not assert current activity, customer exposure, specific indicators, full malware functionality, or guaranteed detection logic. Local baselines, telemetry quality, and approved web-service usage are required to determine material risk and coverage.

Official MITRE ATT&CK definition

CALENDAR

CALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 2 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1059.003	Windows Command Shell Sub-technique	CALENDAR has a command to run cmd.exe to execute commands.CitationMandiant APT1 Appendix
Enterprise	T1102.002	Bidirectional Communication Sub-technique	The CALENDAR malware communicates through the use of events in Google Calendar.CitationMandiant APT1CitationMandiant APT1 Appendix

Associated objects

Groups, software, and campaigns

G0006: APT1

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. [1]

Relationship explorer

All related ATT&CK context

uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1102.002: Bidirectional Communication Enterprise uses · Group G0006: APT1 Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: May 31, 2017, 21:32 UTC (UTC+00:00)
Modified: Apr 25, 2025, 14:43 UTC (UTC+00:00)
Raw hash: 32464d14f82f1cfb...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.2	Apr 25, 2025, 14:43 UTC (UTC+00:00)	Current bundle	`32464d14f82f…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Mandiant APT1

Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
Open source URL
[2]
mitre-attack S0025
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams