Actor(s): APT41
According to Google Threat Intelligence Group, this malware uses Google Calendar events for command and control (C2).
rule win_toughprogress_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.toughprogress." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.toughprogress" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { f00fc101 83f801 7512 488d053e820600 483bc8 7406 e8???????? } // n = 7, score = 100 // f00fc101 | mov ebp, 0x575b7def // 83f801 | mov ah, 0x4f // 7512 | or byte ptr [edi - 0x46b75015], dh // 488d053e820600 | mov es, word ptr [ebx - 0x7cc94a6f] // 483bc8 | stosb byte ptr es:[edi], al // 7406 | out 0x48, al // e8???????? | $sequence_1 = { 53 4189d0 4180e007 c1ea03 440fb60c11 4489c8 f7d0 } // n = 7, score = 100 // 53 | add ebx, 0x10 // 4189d0 | dec eax // 4180e007 | mov dword ptr [ebp - 0x28], ebx // c1ea03 | dec esi // 440fb60c11 | mov eax, dword ptr [edx + ebp] // 4489c8 | dec ebp // f7d0 | add eax, esp $sequence_2 = { ffd0 488b4df8 488b15???????? 4c8b0c32 4d01e9 4889c2 4989d8 } // n = 7, score = 100 // ffd0 | dec esp // 488b4df8 | lea ebp, [eax + 8] // 488b15???????? | // 4c8b0c32 | dec ebp // 4d01e9 | mov dword ptr [esi + 0x48], ebp // 4889c2 | dec ecx // 4989d8 | mov dword ptr [esi + 0x50], 0 $sequence_3 = { 48bb136f553659972b06 488b0408 4801d8 4889d1 ffd0 488b05???????? 48b9ef6e1e2c733fced7 } // n = 7, score = 100 // 48bb136f553659972b06 | mov ebx, 0xe373090f // 488b0408 | wait // 4801d8 | add al, 0x19 // 4889d1 | scasb al, byte ptr es:[edi] // ffd0 | dec eax // 488b05???????? | // 48b9ef6e1e2c733fced7 | mov eax, dword ptr [edi + eax] $sequence_4 = { 48bf6f0c78c0a7583d67 488b0408 4801f8 4889d1 ffd0 0fb700 668906 } // n = 7, score = 100 // 48bf6f0c78c0a7583d67 | aad 0x68 // 488b0408 | cmpsd dword ptr [esi], dword ptr es:[edi] // 4801f8 | add cl, byte ptr [edi] // 4889d1 | pop ds // ffd0 | add byte ptr [eax], 0 // 0fb700 | add byte ptr [eax], al // 668906 | dec eax $sequence_5 = { 794a 0fb65678 488b05???????? 48b93faa3d93bf1e803d 488b0408 4c01c8 4889f1 } // n = 7, score = 100 // 794a | dec eax // 0fb65678 | mov ecx, edi // 488b05???????? | // 48b93faa3d93bf1e803d | mov edx, ebx // 488b0408 | js 0x4b // 4c01c8 | dec eax // 4889f1 | mov ecx, 0xe62c13d7 $sequence_6 = { 666666662e0f1f840000000000 4c89c8 49f7e2 48d1ea 4883e2f8 488d0452 4b8d1408 } // n = 7, score = 100 // 666666662e0f1f840000000000 | pxor mm6, mm0 // 4c89c8 | inc cx // 49f7e2 | por mm6, mm2 // 48d1ea | pxor xmm7, xmm0 // 4883e2f8 | inc sp // 488d0452 | pand mm1, mm4 // 4b8d1408 | inc cx $sequence_7 = { 4c894708 894718 410fb608 83e10f 4a0fbe841110361000 428a8c1120361000 4c2bc0 } // n = 7, score = 100 // 4c894708 | mov byte ptr [ebp + eax - 3], dl // 894718 | xor edx, edx // 410fb608 | inc ecx // 83e10f | cmp esp, 3 // 4a0fbe841110361000 | setne dl // 428a8c1120361000 | dec esp // 4c2bc0 | mov dword ptr [ebp - 0x10], eax $sequence_8 = { 488d0dd0dc0e00 ffd0 48bbab8be2c7a3ecddc7 48031d???????? 488b05???????? 48b950bd9f47f0766383 49bf5b1d11895113db65 } // n = 7, score = 100 // 488d0dd0dc0e00 | inc ecx // ffd0 | mov ecx, 9 // 48bbab8be2c7a3ecddc7 | dec eax // 48031d???????? | // 488b05???????? | // 48b950bd9f47f0766383 | lea ecx, [0x4786b] // 49bf5b1d11895113db65 | inc eax $sequence_9 = { 85c0 0f95c1 48c1e104 48030d???????? 48b8e701c589e09907ad 48bf3c3732457de63ecb 488b0408 } // n = 7, score = 100 // 85c0 | jne 0x293 // 0f95c1 | dec eax // 48c1e104 | test esi, esi // 48030d???????? | // 48b8e701c589e09907ad | jle 0x293 // 48bf3c3732457de63ecb | dec eax // 488b0408 | mov eax, dword ptr [edi] condition: 7 of them and filesize < 3117056 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY