According to The Hacker News , Google has warned that multiple threat actors are sharing public exploits that leverage its calendar service to host command and control (C2) infrastructure.

The tool, called Google Calendar RAT (GCR), uses the app’s event feature to issue command and control using a Gmail account. The program was first published to GitHub in June 2023.

Security researcher MrSaighnal said the code creates a covert channel by exploiting event descriptions in Google's calendar app. In its eighth Threat Report, Google said it had not observed the tool being used in the wild, but noted that its Mandiant threat intelligence unit had seen several threats that had shared proof-of-concept (PoC) exploits on underground forums.

Google says GCR runs on a compromised machine, periodically scanning the event description for new commands, executing them on the target device, and updating the description with the command. The fact that the tool operates on legitimate infrastructure makes it difficult to detect suspicious activity.

This case once again shows the worrying use of cloud services by threat actors to infiltrate and hide themselves on victims’ devices. Previously, a group of hackers believed to be linked to the Iranian government used documents containing macros to open a backdoor on Windows computers and issue commands via email.

Google said the backdoor uses IMAP to connect to a webmail account controlled by the hacker, parses emails for commands, executes them, and sends back emails containing the results. Google's threat analysis team has disabled the attacker-controlled Gmail accounts that the malware used as a conduit.