The NJCCIC received reports of the Calendaromatic malware affecting multiple New Jersey public sector organizations, including local and county government entities. Calendaromatic malware is a potentially unwanted application (PUA) primarily targeting entities in the United States. It is disguised as a benign calendar desktop application designed to manage holiday schedules. Threat actors behind the Calendaromatic malware employ an aggressive and sophisticated online advertising campaign, leveraging NeutralinoJS, Unicode homoglyphs, and hidden payloads to evade detection, gain initial access, maintain persistence, and exfiltrate data.

Threat actors target potential victims with Calendaromatic malware by luring them to third-party websites with advanced holiday planning tools. The “calendaromatic” executable file is a 7z self-extracting archive setup file. Although it is signed with a valid digital certificate by CROWN SKY LLC, the certificate has since been revoked. If extracted and installed, the victims grant the seemingly benign calendar tool permission to interact directly with the operating system. The malware establishes a hidden command and control (C2) channel within Unicode holiday names and executes covert operations against the host operating system. The app’s “clean()” function checks for look-alike characters to tidy up holiday data, reads and decodes secret instructions, and executes commands on the host.

Artificial intelligence (AI) accelerated the investigation and forensic process by parsing the obfuscated JavaScript and highlighting anomalous code sequences for Unicode character mapping. The AI tools traced the “clean()” function logic and revealed how the malware parsed and executed instructions embedded within holiday data.

Recommendations

• Exercise caution when downloading and installing unfamiliar or untrusted applications from web searches.
• Refrain from installing unsigned or unverified software.
• Reset passwords on any compromised hosts, including credentials stored in browsers.
• Keep systems, browsers, and anti-virus/anti-malware software up to date with PUA detection enabled.
• Restore affected systems from backup or perform a complete operating system reinstallation.
• Review the GuidePoint Security blog post for technical information and indicators of compromise (IOCs).
• Report malicious cyber activity to the NJCCIC and the FBI’s IC3.