Utilizing Google Calendar APIs, Hackers Exploit Serverless MeetC2 Communication Framework
Cybersecurity researchers have uncovered a sophisticated command-and-control framework known as MeetC2, which exploits legitimate Google Calendar APIs to create covert communication channels between attackers and compromised systems. Discovered in September 2025, this framework marks a troubling evolution in adversarial tactics, as threat actors manipulate trusted cloud services to circumvent traditional security measures and evade detection. By disguising malicious traffic as routine business communications through Google’s reputable domains, specifically “oauth2.googleapis.com” and “www.googleapis.com”, MeetC2 enables harmful activities to blend seamlessly with normal organisational traffic. This significantly complicates detection efforts for security teams. The framework’s cross-platform compatibility with macOS and Linux systems further enhances its potential impact across diverse enterprise environments.
The technical architecture of the MeetC2 framework reveals advanced evasion capabilities that take advantage of the widespread trust in Google services. The authentication process employs standard OAuth2 flows, necessitating that attackers create legitimate Google Cloud Console projects and service accounts with calendar access permissions. This ensures that all communications appear as authorised API interactions rather than suspicious network traffic. The implementation requires minimal infrastructure, operating entirely through Google’s existing Calendar API. Operators authenticate via service accounts configured with “Make changes to events” permissions on shared calendars. The polling mechanism, which operates at 30-second intervals, balances operational responsiveness with the need to avoid excessive API requests that could trigger rate limiting or alerts for suspicious activity.
Categories: Cybersecurity Threats, Command-and-Control Frameworks, Cloud Service Abuse
Tags: Command-and-Control, Google Calendar, APIs, MeetC2, Cloud Services, Evasion Mechanisms, OAuth2, Polling System, Malicious Traffic, Enterprise Environments